Congress Demands Answers After CISA Data Leak Exposes GovCloud Keys

Lawmakers on both sides of the aisle are demanding answers after KrebsOnSecurity exposed a massive CISA data leak that revealed AWS GovCloud keys and dozens of internal credentials on a public GitHub repo dubbed “Private‑CISA.”

CISA data leak sparks congressional scrutiny

The breach, first reported on May 18, showed a contractor with admin rights disabling GitHub’s secret‑scanning guardrails and pushing plaintext keys to a public profile. Experts say the repository, created in November 2025, appears to have been used as a personal scratchpad rather than a managed project. “This raises serious concerns about CISA’s internal controls,” wrote Sen. Maggie Hassan (D‑NH) in a May 19 letter to Acting Director Nick Andersen, adding that the agency’s recent pandemic-era staffing cuts—↓ 1/3 of its workforce and the loss of most senior leaders—may have weakened its security culture. Rep. Bennie Thompson (D‑MS) echoed the alarm, warning that adversaries such as China, Russia and Iran could exploit the exposed roadmap to infiltrate federal networks.

“The files provide a clear path for hostile actors to gain persistence on CISA systems,”

the representative said. CISA acknowledged the leak but claimed no sensitive data was compromised, a stance challenged by security researcher Dylan Ayrey of Truffle Security, who found an RSA private key still active weeks after the agency was notified. The key could let an attacker read every repository in the CISA‑IT GitHub organization, hijack CI/CD pipelines and modify admin settings. Ayrey told KrebsOnSecurity that CISA eventually revoked the key but has yet to rotate other critical credentials. In a brief statement, CISA said it is working with vendors to “rotate and render invalid” any leaked secrets. The episode highlights the limits of technical controls; as Risky Business host James Wilson noted, policies can block deliberate disabling of secret scans, yet a contractor can still sidestep oversight by using a personal account. “This is fundamentally a human problem,” co‑host Adam Boileau added. The incident arrives as CISA scrambles to contain the breach, with the agency still tracking the full scope of exposed assets. For further context on the broader implications for national cyber defenses, see Reuters.