Hacker stole sensitive FEMA and border patrol data in months-long breach
By Sean Lyngaas, Gabe Cohen, CNN
(CNN) — An unidentified hacker stole sensitive data from Customs and Border Protection and Federal Emergency Management Agency employees in a “widespread” breach this summer that lasted several weeks, according to an internal FEMA assessment reviewed by CNN.
The incident led to an urgent cleanup operation by senior Department of Homeland Security IT officials after the hacker gained deeper access to a FEMA computer network that handles operations in a region that stretches from New Mexico to Texas to Louisiana, the document says.
The incident has roiled the Department of Homeland Security, which oversees both FEMA and Customs and Border Protection, and raised new questions about the department’s ability to protect the information of the more than quarter-million people who work there.
Homeland Security Secretary Kristi Noem announced the firing last month of two-dozen FEMA IT employees, including the agency’s top tech executives, blasting them for “severe lapses in security” that allowed a “threat actor to breach FEMA’s network and threaten the entire Department and the nation as a whole.” Noem appears to have been referring to the same incident described in the document obtained by CNN.
In her August 29 statement, Noem said that “no sensitive data was extracted from any DHS networks,” but the document says that on September 10, a “DHS Task Force” and FEMAs officials confirmed that the attacker stole FEMA and CBP employee data.
The document, which was presented to FEMA staff this week in an update on the breach, reveals just how easily the attacker bypassed the agency’s digital defenses.
In mid-July, as the intruder navigated FEMA’s systems and attempted to extract sensitive information, DHS launched its initial efforts to contain and halt the breach. Yet, according to the assessment, nearly two months later — by September 5 — DHS and FEMA were still trying to remediate the incident.
It was not immediately clear who carried out the hack.
“On August 29, at the time the statement was issued, there was no evidence that sensitive DHS operational data had been compromised,” a DHS spokesperson said, referring to Noem’s previous statement. “This remains an active investigation, and we will not comment on or validate leaked internal materials.”
The attacker hit software made by Citrix, a government contractor, that allows users to access networks remotely. That type of software is a prime target for hackers because it can be a gateway to more sensitive parts of a network.
NextGov/FCW, a tech news publication, first reported on the document.
Though Noem called the fired FEMA workers incompetent, some longtime FEMA officials previously told CNN that the ousted leaders were “extremely competent” and “highly respected.”
The firings came on the heels of another controversy: Several agency employees had just been placed on administrative leave and later put under investigation for signing an open letter to Congress warning that the Trump administration’s overhaul of the agency was undermining disaster response and putting communities at risk.
Noem has insisted her department is “cleaning house at FEMA.” Her sweeping actions have left many high-ranking current and former officials questioning whether she is using these incidents as a pretext for a broader purge.
At any given time, US officials are dealing with numerous hacking threats facing the sprawling confederation of federal computer systems.
US cyber officials issued an “emergency directive” last week ordering federal agencies to defend their networks against an “advanced” group of hackers that have breached at least one agency in an apparent espionage campaign. It was not immediately clear if the FEMA breach is related to that activity.
The-CNN-Wire
™ & © 2025 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.
