Congressional Budget Office admits it was hacked

The US Congressional Budget Office has admitted that it was hacked.

CBO spokesperson Caitlin Emma told TechCrunch on Friday that the agency is investigating the breach and has “identified the security incident, took immediate action to contain it, and implemented additional monitoring and new security controls to further protect the agency’s systems going forward.”

The CBO is a nonpartisan agency that provides economic analysis and cost estimates to members of Congress during the federal budget writing process, including after a bill is approved at the committee level in both the House and Senate.

On Thursday, the Washington Post, which first disclosed the breach, reported that unspecified foreign hackers were behind the intrusion. CBO officials are concerned that the hackers gained access to internal emails and chat logs, as well as communications between members of Congress’ offices and CBO researchers, the newspaper said.

Reuters reported that the Senate Sergeant at Arms, the Senate’s law enforcement agency, notified the Congressional Office of the breach, warning that emails between the CBO and Congress had been compromised and may have been used to create and send phishing attacks.

It is unclear how the hackers gained access to CBO’s network. But soon after news of the breach became public, security researcher Kevin Beaumont wrote in Bluesky that hackers may have exploited CBO’s outdated Cisco firewalls to infiltrate the agency’s network.

Last month, Beaumont noted that CBO has a Cisco ASA firewall on its network that was last patched in 2024. At the time of his post, CBO’s firewall was vulnerable to a series of newly discovered security bugs that were allegedly being exploited by what appeared to be Chinese government-backed hackers.

Beaumont said CBO’s firewall had not been patched by Oct. 1, when the federal government shutdown went into effect.

On Thursday, Beaumont said the firewall is currently offline.

A CBO spokesperson declined to comment when asked about Beaumont’s findings. A Cisco spokesperson did not respond to a request for comment.