The Congressional Budget Office just confirmed it was breached by foreign hackers who potentially accessed sensitive communications between lawmakers and researchers. The attack highlights a critical cybersecurity failure - the agency's Cisco firewall hadn't been patched for over a year, leaving it vulnerable to exploits that security researchers had been tracking since last month.
The Congressional Budget Office just became the latest federal agency to fall victim to a cyberattack that could have far-reaching implications for congressional operations. The nonpartisan agency confirmed Friday it's investigating a breach that security experts believe stemmed from a glaring patch management failure lasting more than a year.
Caitlin Emma, a CBO spokesperson, told TechCrunch the agency "has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls." But the damage may already be done - The Washington Post reports that unspecified foreign hackers potentially accessed internal emails, chat logs, and sensitive communications between the agency and lawmakers' offices.
The breach carries particular weight because CBO serves as Congress's economic crystal ball, providing cost estimates and analysis for everything from major legislation to committee-level budget decisions. When lawmakers need to know what a bill will cost taxpayers, they turn to CBO's researchers for the math.
Reuters reported that the Senate Sergeant at Arms office quickly moved to alert congressional offices about the compromise, warning that hackers could weaponize stolen emails to craft convincing spear-phishing attacks targeting other government officials.
Security researcher Kevin Beaumont didn't wait for official explanations. Shortly after news broke, he posted on Bluesky that he suspected the breach traced back to CBO's outdated Cisco ASA firewall. Last month, Beaumont had flagged that the agency was running firewall software last patched in 2024 - leaving it exposed to a series of newly discovered security flaws that suspected Chinese government hackers were actively exploiting.
The timeline reveals a perfect storm of cybersecurity negligence. Beaumont noted the vulnerable firewall remained unpatched even as the federal government shutdown took effect on October 1st. By Thursday, he reported the firewall had finally gone offline - but apparently too late to prevent the breach.
