• Home
  • Breach
  • Federal Emergency Management Agency (FEMA)
Breach cyber

Federal Emergency Management Agency (FEMA)

Jul 1, 2025 3 min read
Federal Emergency Management Agency (FEMA)

An unidentified hacker executed a **months-long breach** targeting FEMA’s computer network, compromising sensitive data of **Customs and Border Protection (CBP) and FEMA employees** across a region spanning New Mexico, Texas, and Louisiana. The attacker exploited vulnerabilities in **Citrix remote-access software**, gaining deep access to operational systems. Despite initial containment efforts by DHS in mid-July, remediation extended into September, with confirmations that **employee data was stolen**, contradicting earlier official denials. The breach led to the firing of **24 FEMA IT staff**, including top executives, amid accusations of 'severe security lapses.' The incident exposed systemic weaknesses in DHS’s cybersecurity posture, raising concerns about the protection of **over 250,000 employees’ information** and potential broader threats to national security. The attacker’s identity and motives remain unknown, though the prolonged intrusion suggests targeted espionage or data exfiltration for malicious use.

Source: https://www.wcvb.com/article/fema-cbp-data-breach-hacker-cybersecurity-lapse/68136593

TPRM report: https://www.rankiteo.com/company/fema

"id": "fem1802718100225",
"linkid": "fema",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'customers_affected': 'FEMA and CBP employees (number '
                                              'unspecified)',
                        'industry': 'Public Administration / Emergency '
                                    'Management',
                        'location': 'USA (regional focus: New Mexico, Texas, '
                                    'Louisiana)',
                        'name': 'Federal Emergency Management Agency (FEMA)',
                        'size': '250,000+ employees (DHS-wide)',
                        'type': 'Government Agency'},
                       {'customers_affected': 'CBP employees (number '
                                              'unspecified)',
                        'industry': 'Law Enforcement / Border Security',
                        'location': 'USA',
                        'name': 'Customs and Border Protection (CBP)',
                        'type': 'Government Agency'},
                       {'industry': 'National Security',
                        'location': 'USA',
                        'name': 'Department of Homeland Security (DHS)',
                        'type': 'Federal Department'}],
 'attack_vector': ['Exploitation of Citrix Remote Access Software',
                   'Lateral Movement within Network'],
 'data_breach': {'data_exfiltration': 'Confirmed (contradicts initial DHS '
                                      'denial)',
                 'personally_identifiable_information': 'Likely (employee '
                                                        'records)',
                 'sensitivity_of_data': 'High (government employee '
                                        'information)',
                 'type_of_data_compromised': ['Employee Data (FEMA/CBP)']},
 'date_detected': '2023-07-mid',
 'date_publicly_disclosed': '2023-08-29',
 'description': 'An unidentified hacker stole sensitive data from Customs and '
                'Border Protection (CBP) and Federal Emergency Management '
                'Agency (FEMA) employees in a months-long breach (summer '
                '2023). The attacker exploited a Citrix software vulnerability '
                "to gain deep access to FEMA's network, which handles "
                'operations across New Mexico, Texas, and Louisiana. The '
                'breach led to the firing of 24 FEMA IT employees, including '
                "top executives, due to 'severe lapses in security.' Initial "
                'claims by DHS Secretary Kristi Noem that no sensitive data '
                'was extracted were contradicted by internal documents '
                'confirming the theft of employee data. Containment efforts '
                'spanned from mid-July to at least September 5, 2023.',
 'impact': {'brand_reputation_impact': ['Erosion of trust in DHS/FEMA '
                                        'cybersecurity capabilities',
                                        'Controversy over employee firings and '
                                        'political motivations'],
            'data_compromised': ['FEMA Employee Data', 'CBP Employee Data'],
            'downtime': 'At least 7+ weeks (mid-July to September 5, 2023)',
            'identity_theft_risk': 'High (employee data stolen)',
            'operational_impact': ['Urgent cleanup operation by DHS IT '
                                   'officials',
                                   'Disruption to FEMA/CBP operations',
                                   'Firing of 24 IT employees (including top '
                                   'executives)'],
            'systems_affected': ['FEMA Computer Network (regional: New Mexico, '
                                 'Texas, Louisiana)',
                                 'Citrix Remote Access Software']},
 'initial_access_broker': {'entry_point': 'Citrix Remote Access Software',
                           'high_value_targets': ['FEMA regional operations '
                                                  'network',
                                                  'CBP/employee data'],
                           'reconnaissance_period': 'Unknown (breach lasted '
                                                    "'several weeks' in summer "
                                                    '2023)'},
 'investigation_status': 'Ongoing (as of September 2023)',
 'lessons_learned': ['Critical vulnerabilities in Citrix remote access '
                     'software require urgent patching',
                     'Need for improved network segmentation and lateral '
                     'movement detection',
                     'Political and operational risks of public contradictions '
                     'in breach disclosures'],
 'motivation': ['Espionage', 'Data Theft'],
 'post_incident_analysis': {'corrective_actions': ['Personnel changes (24 IT '
                                                   'employees fired)',
                                                   'DHS emergency directive '
                                                   'for federal agencies to '
                                                   'defend against similar '
                                                   'threats'],
                            'root_causes': ['Unpatched Citrix vulnerability',
                                            'Inadequate network monitoring',
                                            'Lateral movement controls failure',
                                            'Possible insider threats or '
                                            'misconfigurations']},
 'ransomware': {'data_exfiltration': 'Yes (but not ransomware-related)'},
 'recommendations': ['Conduct independent review of DHS/FEMA cybersecurity '
                     'protocols',
                     'Reevaluate employee termination policies post-breach',
                     'Enhance transparency in public communications about '
                     'incidents'],
 'references': [{'source': 'CNN'},
                {'source': 'NextGov/FCW'},
                {'source': 'DHS Public Statement (August 29, 2023)'}],
 'regulatory_compliance': {'legal_actions': ['Internal disciplinary actions '
                                             '(24 employees fired)']},
 'response': {'communication_strategy': ['Internal FEMA staff updates',
                                         'Public statement by DHS Secretary '
                                         'Kristi Noem (August 29, 2023)'],
              'containment_measures': ['Initial efforts launched mid-July 2023',
                                       'Ongoing remediation as of September 5, '
                                       '2023'],
              'incident_response_plan_activated': 'Yes (DHS Task Force formed)',
              'law_enforcement_notified': 'Likely (internal DHS investigation)',
              'remediation_measures': ['Cleanup operation by DHS IT officials',
                                       'Firing of 24 FEMA IT employees']},
 'stakeholder_advisories': ['Internal FEMA staff updates',
                            'DHS Task Force findings'],
 'threat_actor': 'Unidentified (possibly advanced hacking group)',
 'title': 'Widespread Breach of FEMA and CBP Employee Data via Citrix '
          'Vulnerability',
 'type': ['Data Breach', 'Unauthorized Access', 'Espionage (suspected)'],
 'vulnerability_exploited': 'Citrix Software Vulnerability (specific CVE '
                            'unidentified)'}
Published by
Jeremy C
Jeremy C
You might also like
Breach cyber

Gainsight

public 2 min read
Gainsight experienced a security breach involving its Salesforce-connected app, where suspicious activity was detected. While the company’s CEO, Chuck…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success platform, suffered a breach linked to its Salesforce-connected app, initially flagged by Salesforce due to unusual…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success management software firm, experienced a breach in its systems that compromised Salesforce customer tokens. The incident…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.