Key US government body says it might have been breached, with thousands of employees affected

The GAO is a non-partisan government agency that provides auditing, evaluative, and investigative services for the US Congress. It is described as “the supreme audit institution of the federal government of the United States”.

Confirmed attack

Following the incident, CGI Federal sent a breach notification letter to affected individuals, Reuters further reported. In the letter, the company said the attackers stole "names, social security numbers, addresses, and some banking information." To steal this information, the attackers exploited a vulnerability in an externally provided platform, the letter also said, without explaining further. 

The data breach was later confirmed to Nextgov by GAO spokesperson Charles Young: “On January 17 of this year, CGI Federal, a contractor involved in GAO’s financial management systems, notified GAO of a data breach impacting approximately 6,600 people, primarily current and former GAO employees from 2007 to 2017, as well as some companies doing business with GAO,” Young said. 

“GAO immediately took steps to begin identifying and notifying the impacted individuals regarding the release of PII (personally identifiable information),” the statement added. 

A CGI representative recently testified in front of the US Congress, during which they said the company provides IT protection for “100 participating agencies”, Reuters said. The representative further elaborated that the State, Justice, Commerce, and Labor departments, all used the company’s services, as well as the Federal Communications Commission (FCC) and the US State for International Development (USAID).

More from TechRadar Pro

• The US government has suffered a whole load of data breaches we never even knew about
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now