A hacker infiltrated FEMA’s computer networks via compromised credentials in Citrix Systems’ remote desktop software, gaining unauthorized access for nearly two months (June 22 to August 5). The breach targeted **FEMA Region 6** (covering Arkansas, Louisiana, New Mexico, Oklahoma, and Texas) and compromised **employee identity data** from both FEMA and U.S. Customs and Border Protection (CBP), another DHS component. The attacker exploited weak security measures, including the absence of **multifactor authentication (MFA)**, to move laterally across the network, install VPN software, and exfiltrate data from **Microsoft Active Directory**, which manages access controls. The incident led to the termination of **two dozen FEMA employees**, including IT executives, after DHS Secretary Kristi Noem cited systemic failures like agencywide MFA gaps and 'incompetence' in cybersecurity protocols. While initial statements claimed no sensitive citizen data was stolen, investigations confirmed the theft of **federal employee identity information**. The breach underscored vulnerabilities in critical government infrastructure, though officials asserted no direct harm to American citizens occurred. The attack’s duration and depth raised concerns about persistent threats to federal agencies, compounded by a separate disclosure of hackers exploiting **Cisco firewall devices** in U.S. government systems around the same period.
Source: https://www.insurancejournal.com/news/national/2025/10/01/841146.htm
TPRM report: https://www.rankiteo.com/company/fema
"id": "fem5362353100125",
"linkid": "fema",
"type": "Breach",
"date": "6/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Public Administration / Emergency '
'Management',
'location': 'USA (Region 6: Arkansas, Louisiana, New '
'Mexico, Oklahoma, Texas)',
'name': 'Federal Emergency Management Agency (FEMA)',
'type': 'Government Agency'},
{'industry': 'Law Enforcement / Border Security',
'location': 'USA',
'name': 'US Customs and Border Protection (CBP)',
'type': 'Government Agency'}],
'attack_vector': ['Compromised Credentials',
'Exploitation of Citrix Remote Desktop Software',
'Lateral Movement via VPN Software'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (Government Employee PII)',
'type_of_data_compromised': ['Federal Employee Identity '
'Data']},
'date_detected': '2025-07-07',
'date_publicly_disclosed': '2025-08-29',
'description': "A hacker gained unauthorized access to FEMA's computer "
'networks for several months in 2025, stealing employee data '
'from FEMA and US Customs and Border Protection (CBP). The '
'breach was facilitated via compromised credentials in Citrix '
'Systems Inc.’s remote desktop software, affecting FEMA’s '
'Region 6 (Arkansas, Louisiana, New Mexico, Oklahoma, Texas). '
'The intruder accessed Active Directory and exfiltrated '
'federal employee identity data. FEMA disconnected the '
'compromised Citrix tool and enforced multifactor '
'authentication (MFA) post-breach. The incident led to the '
'termination of 24 FEMA employees, including IT executives, '
'due to alleged incompetence and lack of agencywide MFA.',
'impact': {'brand_reputation_impact': ['Public Disclosure of Cyber Lapses',
'Termination of Senior IT Staff',
'Media Coverage (Bloomberg, '
'Nextgov/FCW)'],
'data_compromised': ['Federal Employee Identity Data (FEMA and '
'CBP)'],
'identity_theft_risk': ['Federal Employee Data (Potential Risk)'],
'operational_impact': ['Disconnection of Citrix Remote Access Tool',
'Enforcement of MFA',
'Termination of 24 Employees (Including IT '
'Executives)'],
'systems_affected': ['FEMA Region 6 Servers',
'Microsoft Active Directory',
'Citrix Remote Desktop Software']},
'initial_access_broker': {'backdoors_established': ['Installation of VPN '
'Software for Lateral '
'Movement'],
'entry_point': 'Citrix Systems Inc.’s Remote '
'Desktop Software (Compromised '
'Credentials)',
'high_value_targets': ['Microsoft Active Directory',
'FEMA Region 6 Servers']},
'investigation_status': 'Completed (DHS Internal Investigation)',
'lessons_learned': ['Critical importance of enforcing multifactor '
'authentication (MFA) agencywide.',
'Need for robust monitoring of third-party remote access '
'tools (e.g., Citrix).',
'Consequences of inadequate access controls in Active '
'Directory.',
'Accountability for IT leadership failures in '
'cybersecurity posture.'],
'post_incident_analysis': {'corrective_actions': ['Enforcement of MFA for all '
'FEMA employees.',
'Disconnection of '
'compromised Citrix tools.',
'Termination of responsible '
'IT personnel.',
'Public disclosure of '
'cybersecurity lapses to '
'drive accountability.'],
'root_causes': ['Lack of multifactor '
'authentication (MFA) across FEMA '
'systems.',
'Exploitation of vulnerable Citrix '
'remote access software.',
'Inadequate monitoring of network '
'access and lateral movement.',
'IT leadership failures in '
'cybersecurity governance.']},
'recommendations': ['Mandate MFA across all government systems and '
'applications.',
'Conduct regular audits of third-party software '
'vulnerabilities.',
'Implement zero-trust architecture to limit lateral '
'movement.',
'Enhance incident response protocols for timely detection '
'and containment.',
'Provide cybersecurity training for IT executives and '
'staff.'],
'references': [{'date_accessed': '2025-09-05',
'source': 'Bloomberg News',
'url': 'https://www.bloomberg.com'},
{'date_accessed': '2025-09-05',
'source': 'Nextgov/FCW',
'url': 'https://www.nextgov.com'},
{'date_accessed': '2025-08-29',
'source': 'DHS Public Statement (Secretary Kristi Noem)'}],
'regulatory_compliance': {'legal_actions': ['Termination of 24 FEMA Employees '
'(Including IT Executives)'],
'regulatory_notifications': ['Internal DHS '
'Investigation']},
'response': {'communication_strategy': ['Public Statement by DHS Secretary '
'Kristi Noem (2025-08-29)',
'Media Disclosures (Bloomberg, '
'Nextgov/FCW)'],
'containment_measures': ['Disconnection of Citrix Remote Access '
'Tool (2025-07-16)',
'Enforcement of Multifactor '
'Authentication (MFA)'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True},
'title': 'FEMA and Customs and Border Protection Staff Data Breach',
'type': ['Data Breach', 'Unauthorized Access', 'Credential Theft'],
'vulnerability_exploited': ['Lack of Multifactor Authentication (MFA)',
'Weak Access Controls in Citrix Systems',
'Unsecured Active Directory']}