Skip to content

Illustration by iStock, Security Management

CISA Shares Lessons Learned from Own Data Breach

Cyber vulnerabilities come in many shapes and forms. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a blog post on 9 July analyzing the lessons it learned from a disclosure of its own information online.

Here's what happened and what other organizations can learn from the incident.

What Happened

On 13 May, GitGuardian’s automated tool discovered just under 1 gigabyte of information that appeared to include sensitive information from CISA on a public GitHub repository.

GitHub is a cloud-based platform specializing in providing developers with a place to store, share, and collaborate on code and projects. It has robust security protections, but also public-facing capabilities. GitGuardian is a cybersecurity firm specializing in software code security. As part of its work, it continuously scans public or unprotected GitHub databases for sensitive information. When it finds something, as a pro bono service, it alerts the potentially compromised organization.

Upon discovering the information, GitGuardian’s automated system sent alerts to the owner of the GitHub files on 13 May. Nine alerts returned automated responses from the GitHub owner. GitGuardian researchers looked into the situation and discovered how damaging the information could be.

GitGuardian wrote in a May blog post that “the exposed material provided a detailed view into cloud infrastructure, deployment workflows, software supply-chain tooling, and internal operations practices.” GitGuardian noted that “the repository was a catalogue of unsafe practices: plain text passwords, backups committed to Git, and explicit instruction to disable GitHub’s secret scanning.”

GitGuardian researchers tried to reach CISA officials about the data but were unsuccessful until they enlisted the assistance of cybersecurity journalist Brian Krebs, who facilitated contact on 15 May. In Krebs’s description, a file labelled “importantAWStokens” contained admin credentials to three Amazon AWS GovCloud servers, and the data also “listed plain text usernames and passwords for dozens of internal CISA systems.”

On the day CISA learned about the incident, which it said contained data from a personal repository owned by a contractor, the agency facilitated the removal of the content from GitHub, retained a copy of the data for analysis, and revoked the system access of the individual responsible.

CISA concluded that the “leaked credentials were not used outside of CISA’s environment,” and “no customer or mission data was exposed.”

Lessons Learned

CISA took its entire development environment offline and reset credentials after discovering the incident. It analyzed all environments to which the contractor had access and changed all credentials whether related to the data breach or not. Finally, it re-examined who has access to its code repositories and took steps to limit the capability of users to upload to public code repositories. CISA brought its development environment back online after taking these steps. 

Among the successes from its response, CISA pointed to:

  • The capability and processes that external people took to call attention to the problem.

  • Zero trust policies implemented across production and development environments aided in detecting potential fallout from the breach.

  • Advanced logging capabilities, which CISA used to quickly and thoroughly investigate the incident. It also said the investigation uncovered additional logging opportunities, which have since been implemented.


CISA did highlight incident reporting from outside sources as an area for improvement. The agency is positioned to receive reports from companies about breaches and to communicate critical information about cyber protections out to companies. But it was not set up to receive incident reporting about CISA vulnerabilities, which caused initial delays in its response.

Other lessons learned include incorporating the unique vulnerabilities that public or cooperative services introduce into operations.

Guillaume Valadon, the original researcher from GitGuardian who determined the potential importance of the breach and took extra effort to ensure CISA responded, praised the agency for issuing the lessons learned post-incident response. He then took those lessons and translated them into practices other organizations can implement:

  1. Take external vulnerability reports seriously.

  2. Monitor repositories continuously for exposed secrets.

  3. Build a dedicated secrets-leak response playbook.

  4. Simplify security incident reporting channels.

  5. Strengthen development environment guardrails.

  6. Test cryptographic key rotation readiness.


“CISA lived it, wrote it down, and shared it. That is exactly the incident communication we should expect from every organization,” Valadon wrote.

arrow_upward