A breach of the Government Accountability Office (GAO) has resulted in the compromise of data associated with thousands of current and former employees, primarily from 2007 to 2017, along with some affiliated companies, the agency confirmed.
The breach, impacting approximately 6,600 individuals, was disclosed by GAO’s contractor, CGI Federal, on January 17. According to agency spokesperson Chuck Young, the breach exploited a notorious vulnerability in the Atlassian Confluence workforce collaboration tool.
CGI Federal, the victim of the breach involving the third-party tool, took immediate action upon notification of the incident. This breach utilized a vulnerability detailed in an advisory jointly issued by the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in October.
The advisory warned of active exploitation targeting certain versions of Atlassian Confluence Data Center and Server, allowing malicious actors to gain access to victim systems and continue exploitation post-patch. Researchers highlighted the potential for “mass exploitation” of the vulnerability.
Despite the advisory, a lapse of three months occurred between its issuance and CGI Federal’s notification to GAO on January 17, 2024. CGI Federal, the U.S. subsidiary of Canada-based CGI, attributed the delay to its adherence to threat advisory guidance from CISA and ongoing proactive measures to address vulnerabilities.
Atlassian, the provider of the Confluence tool, stated that it notified customers of the vulnerability on October 4, urging immediate action to safeguard data. The company emphasized its commitment to customer protection and support in mitigating risks.
GAO is conducting an investigation into the breach’s cause and plans to provide identity theft monitoring services to affected individuals. CGI Federal’s work with GAO primarily focused on the agency’s financial management systems, according to Young.
