The Congressional Budget Office confirms it was hacked

The US Congressional Budget Office confirmed that it had been hacked.

The agency is investigating the breach and “identified the security incident, took immediate action to contain it, and implemented additional monitoring and new security controls to further protect the agency’s systems moving forward,” CBO spokeswoman Caitlin Emma told TechCrunch on Friday.

CBO is a nonpartisan agency that provides economic analysis and cost estimates to lawmakers during the federal budget process, including after legislative bills are approved at the committee level in the House and Senate.

On Thursday, The Washington Post, which first reported the hack, reported that unspecified foreign hackers were behind the hack. According to the newspaper, CBO officials are concerned that hackers have accessed internal emails and chat logs, as well as communications between lawmakers’ offices and CBO researchers.

Reuters reported that the Senate Sergeant at Arms, the Senate’s law enforcement agency, notified congressional offices of the breach, warning them that emails between the CBO and the offices could have been compromised and used to craft and send phishing attacks.

It is unclear how the hackers gained access to the CBO network. But shortly after news of the hack became public, security researcher Kevin Beaumont wrote on Bluesky’s website that he suspected the hackers may have exploited Congress Bank’s legacy Cisco firewall to break into the agency’s network.

Last month, Beaumont noted that the CBO had a Cisco ASA firewall on its network that was last patched in 2024. At the time of publication, the CBO’s firewall was vulnerable to a series of newly discovered security flaws, which were exploited by suspected Chinese government-backed hackers.

Beaumont said the CBO’s firewall had not been patched by the time the federal government shutdown went into effect on October 1.

The firewall is now offline, Beaumont said Thursday.

A spokesman for the Congressional Budget Office declined to comment when asked about Beaumont’s findings. Cisco spokespersons did not immediately respond to a request for comment.