A breach of the Government Accountability Office that resulted in the compromise of data associated with thousands of current and former employees of the agency was carried out using a notorious vulnerability in an Atlassian workforce collaboration tool.
The breach of GAO, a nonpartisan entity that carries out investigations into taxpayer spending for Congress and federal agencies, occurred via one of its contractors, CGI Federal. The contractor notified GAO on Jan. 17 “of a data breach impacting approximately 6,600 people, primarily current and former GAO employees from 2007 to 2017, as well as some companies doing business with GAO,” agency spokesperson Chuck Young told CyberScoop in an email.
A spokesperson for CGI Federal, Mercedes Marx, told CyberScoop Tuesday that it was the victim of a breach of a third-party tool, the Atlassian Confluence workforce collaboration tool.
The Cybersecurity and Infrastructure Security Agency, FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued an advisory in October detailing the active exploitation of a vulnerability affecting certain versions of Atlassian Confluence Data Center and Server. Malicious hackers exploited the vulnerability to “obtain access to victim systems and continue active exploitation post-patch,” the advisory warned. Researchers quickly warned of “mass exploitation” of the vulnerability.
“In line with the threat advisory guidance issued by CISA, CGI Federal took immediate remediation actions and continues to work proactively with authorities and clients to identify and disclose any data affected by the Confluence exploitation,” Marx said. “As part of its daily operating practices, CGI continuously and immediately addresses all known and emerging vulnerabilities through regular testing and validation of platforms and systems deployed on behalf of all clients.”
Marx did not immediately respond to questions about why three months elapsed between CISA’s advisory regarding the Atlassian vulnerability on Oct. 16 and the notification to GAO, Jan. 17, 2024. CGI Federal is the U.S. subsidiary of CGI, a Canada-based IT and business services contractor.
A spokesperson for Atlassian said the company alerted its customers of the vulnerability on Oct. 4 and urged them to take “immediate action.” The spokesperson added that “protecting customers’ instances is our top priority, and we are committed to supporting our customers in taking timely action to protect their data.”
The GAO is investigating the cause of the breach and plans to offer identity theft monitoring services to those affected, Young said. CGI’s work with GAO was related to the agency’s financial management systems, he added.
Updated Feb. 13, 2024: This article has been update with comment from an Atlassian spokesperson.