US GAO data breach: US agency says it was alerted to breach by contractor CGI Federal

The US Government Accountability Office (GAO) said Monday that CGI Federal, an IT contractor and unit of CGI Inc, notified the agency of a data breach last month affecting about 6,000 current and former GAO employees.

The GAO, a research arm of Congress, said in a statement the data involved personally identifiable information on employees including some people who worked there from 2007 to 2017.

Elevate Your Tech Prowess with High-Value Skill Courses

Offering College Course Website
MIT MIT Technology Leadership and Innovation Visit
Indian School of Business ISB Product Management Visit
Indian School of Business ISB Professional Certificate in Product Management Visit

A breach notification letter seen by Reuters said that the data contained “names, social security numbers, addresses, and some banking information.” The letter said the breach had been carried out by a “threat actor exploiting a vulnerability in an externally provided platform” but didn’t delve into specifics.

GAO spokesperson Chuck Young said his agency was notified about the breach on Jan. 17 but referred questions about its impact to CGI. CGI Federal did not immediately return messages seeking comment.

CGI, which has pivoted toward cybersecurity in recent years, has a host of contracts with the federal government. In recent congressional testimony, a CGI official said that the company has provided IT protection for “100 participating agencies” through the U.S. cybersecurity agency tasked with protecting federal networks.

In the same testimony, GCI said it provided cybersecurity services the State, Justice, Commerce, and Labor departments as well as the Federal Communications Commission and the United States Agency for International Development.

Discover the stories of your interest


The cybersecurity agency did not immediately respond to a request for comment about CGI. The FBI did not immediately return emails.