Breach of FEMA, CBP deepens concerns over national security vulnerabilities

When the Department of Homeland Security (DHS) confirmed that a breach in July exposed data from the Federal Emergency Management Agency (FEMA) and Customs and Border Protection (CBP), the initial reaction was disbelief.

The idea that two of the nation’s most critical agencies could be compromised through a single breach raises questions not only about the technical gaps that allowed the attack, but also about the resilience of the federal government’s security posture. Workforce reductions at FEMA have already impacted disaster response readiness.

Almost immediately after reporting about the breach emerged, members of Congress began pressing DHS, FEMA, and CBP leadership for more information.

The breach arrives at a time of heightened concern about federal cybersecurity resilience. The federal government has invested heavily in modernizing IT systems and implementing Zero Trust requirements, but progress has been uneven.

Legacy systems, decentralized governance, and chronic workforce shortages continue to leave federal networks exposed.

What is emerging about the breach is a picture of weak segmentation, outdated systems, and monitoring gaps that left critical networks exposed for weeks. According to internal briefings, the breach originated in FEMA Region 6, which encompasses Arkansas, Louisiana, New Mexico, Oklahoma, and Texas.

The attacker gained entry through Citrix remote-access software using compromised credentials to move within the agency’s systems. The intrusion was discovered when DHS officials alerted FEMA that unusual activity had been detected. But by then the compromise had already persisted for weeks.

What began as an intrusion in a regional office of FEMA ultimately spilled into CBP, where employee data was also exposed. DHS Secretary Kristi Noem’s announcement in late August that two dozen FEMA IT staff had been fired for “massive cyber failures” underscored both the seriousness of the incident and the government’s desire to show accountability.

Noem’s actions though did little to erase the fact that the attackers had time to linger inside systems essential to national emergency response. Meanwhile, some lawmakers criticized Noem’s decision to fire FEMA IT staff, asking whether the terminations were scapegoating rather than addressing root causes.

For security experts, the breach is troubling not simply because of what data may have been taken, but because of what the compromise reveals about DHS’s internal cybersecurity architecture.

Ensar Seker, Chief Information Security Officer at SOCRadar, pointed out that the incident demonstrates how interconnected federal networks create fertile ground for lateral movement.

“This breach targeting both FEMA and Customs and Border Protection highlights the growing risk of lateral movement across interconnected federal systems, especially when regional network segments are left exposed,” Seker said.

“A compromise that lasted several weeks without detection suggests not just a failure of preventive security controls, but likely gaps in real-time monitoring and behavioral anomaly detection,” Seker added.

Seker’s concern about lateral movement is not theoretical. FEMA’s regional networks play a pivotal role in emergency coordination, especially in areas like Region 6 where hurricanes, flooding, and severe weather regularly test FEMA’s response capabilities.

An attacker with persistent access could have mapped response protocols, exfiltrated sensitive employee personally identifiable information (PII), and even gleaned operational plans designed for disaster preparations, response, deployment, and even secure locations of equipment and relief supplies.

“The fact that the attacker gained deep access to a FEMA environment that supports critical emergency operations across several states is particularly alarming,” Seker said. “This isn’t just a data breach; it’s a breach of trust in systems that Americans rely on during disasters.”

The absence of attribution further complicates the picture. No threat actor has yet been named, and no specific state or criminal group has claimed responsibility.

Seker cautioned that this uncertainty itself is dangerous. “If the attacker maintained persistence long enough to pivot laterally, they could have exfiltrated sensitive employee PII, internal operational planning data, and potentially even response coordination protocols, all of which could be weaponized in future incidents,” he said.

“What makes this more concerning is that no threat actor has been named yet,” Seker added. And “the longer attribution remains unclear, the greater the uncertainty for federal employees, partners, and the public.”

Paul Bischoff, a consumer privacy advocate at Comparitech, echoed Seker’s concerns while honing in on the technical shortcomings that may have enabled the breach.

“A breach that lasts several weeks usually implies that DHS failed to properly secure the data,” Bischoff said. “If the data was left exposed to the Internet for that long, then any number of hackers could have found and stolen it in that time.”

Bischoff suggested that the likely culprit may have been CitrixBleed, a well-documented vulnerability in Citrix NetScaler software that the federal government had already warned agencies to patch.

“I surmise that hackers exploited the CitrixBleed vulnerability in an unpatched version of the Citrix NetScaler software, which is used for VPNs and other network gateways,” Bischoff said. The “Cybersecurity and Infrastructure Security Agency [CISA], which is also run by the federal government, issued guidance on how to avoid CitrixBleed in 2023.”

“The big questions we should be asking now is if it’s possible that more than one unauthorized party accessed the data, whether any of them were state-sponsored or political actors, and what data was stolen,” Bischoff noted.

The mention of CitrixBleed is particularly damning because CISA provided agencies with clear mitigation guidance in 2023. If FEMA was still running unpatched Citrix software in 2025, it would indicate a basic lapse in patch management, one of the most fundamental responsibilities of any IT security team.

The failure to enforce or verify compliance though sits squarely with CISA’s oversight mandate. However, since late 2024 and into this year, CISA has been under heavy political strain and internal turmoil.

A wave of resignations, firings, and political pressure has left CISA with acting officials and uncertainty at the top. Some of its career cyber experts departed under pressure, weakening institutional memory. This turmoil has left CISA hampered in its ability to compel compliance and sustain rigorous monitoring across sprawling DHS sub-agencies.

And there’s the congressional gridlock. Partisan fights have stalled renewal of core CISA authorities, such as aspects of CISA 2015 which gave liability protections to companies sharing threat indicators. Without legislative clarity, CISA has struggled to keep private-sector cooperation strong.

Combined with DHS’s acknowledgment that compromised credentials were used to gain access, the likelihood is that weak multifactor authentication enforcement and insufficient monitoring made the attacker’s job easier. The fact that 24 IT staff were terminated suggests leadership concluded that the breach was preventable with standard security hygiene.

The ripple effects of this incident are difficult to overstate. FEMA is the agency Americans expect to show up with aid and coordination in times of disaster. A breach of its internal systems is not just an inconvenience; it erodes confidence in the federal government’s ability to manage crises.

If, as Seker suggested, attackers accessed disaster response protocols, that information could provide adversaries with a roadmap of vulnerabilities to exploit during future emergencies.

The exposure of CBP employee data also carries its own risks, particularly in the realm of border security. CBP officers and agents are frequent targets of harassment campaigns, and any leak of personal details, assignments, or duty stations could be used for doxxing, phishing, or intimidation.

The FEMA–CBP breach also recalls a troubling history of DHS data exposures. In 2019, a CBP subcontractor suffered a breach that exposed facial recognition images of travelers. That same year, FEMA mistakenly shared banking and personal information of over two million disaster survivors with a contractor.

And each time, the pattern has been the same: sensitive data ends up in the wrong hands because of poor controls, insufficient oversight, or preventable mistakes. The most recent breach reinforces that DHS has not yet solved these fundamental governance issues.

The urgency of reform could not be clearer. Seker argued that DHS needs to adopt a robust Zero Trust approach across its components.

“The incident underscores the urgency for agencies like DHS to implement more robust Zero Trust architectures, extend attack surface visibility into traditionally siloed regional environments, and continuously audit access paths, especially for hybrid or legacy systems,” he said.

Zero Trust principles are especially critical in environments where legacy systems like Citrix gateways remain in play. As Seker observed, “We’re seeing a rise in state-linked threat actors exploiting weakly segmented infrastructure and federated identities across agencies.”

“This breach is a textbook case of why cybersecurity shouldn’t be managed in operational silos,” Seker said. “For federal agencies, the stakes aren’t just reputational or financial. They’re national security.”

At the same time, Bischoff’s point about multiple possible intruders lingers as a haunting prospect. The longer the systems were exposed, the higher the probability that opportunistic hackers, cybercriminals, or even state-backed operators each had time to rifle through sensitive data.

That uncertainty will weigh heavily on breach notifications, as employees and contractors from both FEMA and CBP wait to find out exactly what was stolen. Without transparency though on whether Social Security numbers, banking details, or operational records were compromised, those potentially affected have little clarity on what risks they now face.

In Washington, the political reverberations have already begun. Noem’s decision to fire FEMA IT staff was clearly aimed at projecting accountability, but critics argue that scapegoating rank-and-file employees distracts from the systemic underinvestment and governance failures that allowed the breach to happen in the first place.

Congressional oversight committees will be gearing up hearings that will likely probe why DHS agencies have repeatedly failed to follow their own cybersecurity directives and whether structural reforms, including independent auditing, are required.

Lawmakers are also expected to press FEMA and CBP to provide a full accounting of what data was compromised and whether foreign adversaries may now possess information about U.S. emergency response and border operations.

Article Topics

biometrics  |  CBP  |  cybersecurity  |  data protection  |  DHS  |  identity access management (IAM)  |  U.S. Government