A hacker infiltrated the Federal Emergency Management Agency’s networks for months earlier this year, stealing sensitive data on FEMA and U.S. Customs and Border Protection employees, according to an incident report.
The Department of Homeland Security alerted FEMA on July 7 that a hacker had infiltrated its network by exploiting compromised credentials in Citrix Systems Inc.’s remote desktop software, according to a summary reviewed by Bloomberg News. The breach targeted FEMA’s Region 6—covering Arkansas, Louisiana, New Mexico, Oklahoma, and Texas—where the stolen data was taken from servers housed in that region, the document shows.
The hacker’s identity remains unknown, but the fallout was swift: Homeland Security Secretary Kristi Noem dismissed two dozen FEMA employees — including several top IT executives — over the agency’s handling of the breach, according to a person familiar with the matter.
Spokespersons for FEMA, DHS, CBP, and Citrix did not immediately respond to requests for comment. Portions of the incident summary were first reported by Nextgov/FCW.
On July 14, the hacker advanced deeper into FEMA’s systems, installing virtual private network software in an effort to remotely breach a database, according to the incident summary. The intruder ultimately gained access to Microsoft Corp.’s Active Directory—a tool IT administrators use to control user permissions—and from there stole sensitive employee data from both FEMA and U.S. Customs and Border Protection, another DHS agency.
On July 16, FEMA disabled Citrix remote access in Region 6 and required employees to adopt multifactor authentication, the summary states.
Investigators determined the hacker remained inside the network from June 22 until August 5.
In an Aug. 29 statement announcing the dismissals, Noem declared that "FEMA’s career IT leadership failed on every level," citing what she described as widespread "incompetence," including the agency’s lack of multifactor authentication. The ousted officials have not responded to requests for comment.
In her statement, Noem insisted that the breach was contained 'before any American citizens were directly impacted' and that 'no sensitive data was extracted from any DHS networks.' However, DHS’s internal investigation later concluded that the hacker had successfully stolen federal employee identity data, according to the overview.
On Thursday, U.S. officials reported that hackers had breached Cisco Systems Inc. firewall devices used across the federal government. It remains unclear which agencies were affected, or whether the FEMA breach is connected to these attacks.
Photo: Photographer: Stefani Reynolds/Bloomberg