Lawmakers Demand Answers as CISA Tries to Contain Data Leak

Source: Krebs on Security — 22 May 2026

What we are tracking

Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials. On May 18, KrebsOnSecurity reported that a CISA contractor with administrative access to the agency’s code development platform had created a public GitHub profile called “Pri…

RingSafe analysis

This is a textbook accidental-insider incident inside a government-contractor environment, and India has the same fact pattern recurring across NIC vendors, CERT-In contractors, state e-governance subcontractors, and BFSI PSU code-development platforms. The lesson is not “scan GitHub” — it’s that organisations must assume contractors with admin-level access to source-control will, at some point, push to a public repo. Controls that work: mandatory git pre-commit hooks scanning for high-entropy strings, GitHub organisation-level Push Protection with secret-scanning enforcement, short-lived AWS STS credentials in place of long-lived IAM access keys, and automated IAM key rotation triggered by any GitHub secret-scanning alert. Map to MITRE ATT&CK T1552.001 (Credentials in Files) and T1078.004 (Cloud Accounts). DPDP Section 8 applies to any contractor leak touching Indian citizen data — the contractor is a “data processor,” but the data fiduciary owns the breach and the 72-hour clock.

Read the original report

Lawmakers Demand Answers as CISA Tries to Contain Data Leak → at Krebs on Security