US Cyber Agency CISA Admits Lack of Preparedness After Employee Leaked Login Data on GitHub
The US Cybersecurity and Infrastructure Security Agency (CISA) revealed it had to create an emergency response plan *during* an incident after a contractor leaked sensitive government login data publicly on GitHub.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) admitted in a post-mortem report that it lacked a pre-prepared playbook for the sensitive cloud data leak incident that occurred last May. This resulted in officials having to "spend time creating [the playbook] during the initial stages of the incident" while simultaneously addressing immediate issues.
The incident began in May when security researchers from GitGuardian discovered a large amount of sensitive information, such as keys and credentials for accessing U.S. government systems, stored in a publicly accessible GitHub repository. This data had been uploaded by an employee of a contractor working for CISA itself. The researchers attempted to directly notify the contractor company but received no response.
The story became public after the researchers informed independent cybersecurity investigative journalist Brian Krebs. Krebs then contacted CISA directly. Only after being contacted by the journalist did CISA act, taking the repository offline and immediately revoking or changing all leaked sensitive data.
Interestingly, CISA has for years advocated for and urged various public and private organizations to create playbooks for responding to different types of cyber incidents. However, in its latest report, the agency itself admitted it "missed creating a GitHub/Cloud playbook beforehand" specifically for this type of situation. Nevertheless, CISA stated that its post-incident review found no evidence that malicious actors had used the leaked data, and no customer data or other sensitive information was affected.
This incident is a critical reminder that even national agencies responsible for cybersecurity can have process vulnerabilities. It underscores the importance of having pre-prepared incident response plans for all scenarios, rather than creating them only after a problem occurs.