It happened in May. A contractor screwed up. They left the front door wide open.
Brian Krebs found the mess first. Not exactly a minor error, this was a digital hostage situation waiting to happen. An employee of a CISA contractor uploaded a GitHub repository containing reams of passwords. Access keys for US government systems, sitting there for anyone with a web browser.
CISA’s own postmortem reveals an uncomfortable truth. They had no plan. None. When the dust was still settling from that initial discovery, CISA staff weren’t executing a response. They were writing it.
“Staff had to spend time building a playbook during the early stages of the incident.”
Think about that. You are the shield against federal network attacks, yet you’re improvising how to hold the shield when it starts leaking data. It shouldn’t work like this, but it did.
Krebs noticed the exposure. A researcher from GitGuardian tried to alert the contractor first. Silence. The void gave nothing back. So Krebs went up the chain. He contacted CISA. Only then did action happen.
The repository came down. Credentials revoked. Replaced.
No customer data was lost. That is something, I guess. CISA thanked the reporter and the researcher for the save. It was a close call. Maybe too close.
The agency admitted their channels for researchers were vague. “Not well defined,” they called it. They are fixing it. Faster paths for notification now. Playbooks for anticipated needs. The idea is that you don’t write the rulebook during the fire. You read it before the spark.
But the delay remains. A spokesperson won’t say how much time was lost while the playbook was being drafted. The silence on that detail speaks volumes.
Are we surprised?
Infrastructure gets hardened. People forget to patch. Sometimes, even the defenders have to figure out what to do when the panic sets in.
