U.S. Congressional Budget Office Hit by Cyberattack, Sensitive Data Exposed

The U.S. Congressional Budget Office announced that foreign threat actors recently infiltrated its internal network, resulting in unauthorised access to confidential data.

 

The U.S. Congressional Budget Office (CBO) is a nonpartisan federal agency that supplies Congress with impartial, data-driven analysis and information on budgetary and economic matters.

 

In a recent statement shared with the media, House Budget Committee chairman Jodey Arrington said that a “complex foreign actor” is responsible for the cyber attack on the CBO. 

 

“The House Budget Committee is working closely with CBO, the House Chief Information Officer, and others to monitor the situation, ensure it’s contained, and mitigate any adverse effects of the intrusion,” Arrington said.

 

A spokesperson for the CBO confirmed the data breach, noting that the agency promptly contained the incident and has introduced additional monitoring and new security controls to better safeguard its systems in the future.

 

“The Congressional Budget Office has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward.

 

“The incident is being investigated and work for the Congress continues. Like other government agencies and private sector entities, CBO occasionally faces threats to its network and continually monitors to address those threats,” the spokesperson said.

 

CBO officials said the breach was recently discovered and expressed concern that emails and communications between congressional offices and the agency’s analysts may have been compromised.

 

CBO officials did not share any details regarding the specific nature of the breach or the exact methods the hackers used to gain unauthorised entry into its internal systems.

 

In December 2024, the Treasury experienced a major cyber attack attributed to Chinese state-sponsored hackers. The breach involved unauthorised access to a key from BeyondTrust, a third-party software provider, which allowed attackers to remotely access certain user workstations and unclassified documents. 

 

The Treasury worked with cybersecurity experts, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Intelligence Community to assess the impact. The incident was classified as a major cybersecurity breach. 

 

The Chinese government, however, denied claims of directing or supporting the cyber attack on the Treasury, stating that it did not have any connection with the hackers who carried out the attack.