US agency says it was alerted to breach by contractor CGI Federal

News | February 12, 2024
Projection of cyber code on hooded man is pictured in this illustration picture

By Raphael Satter

(Reuters) – The U.S. Government Accountability Office said Monday that CGI Federal, an IT contractor and unit of CGI Inc, notified the agency of a data breach last month affecting about 6,000 current and former GAO employees.

The GAO, a research arm of Congress, said in a statement the data involved personally identifiable information on employees including some people who worked there from 2007 to 2017.

A breach notification letter seen by Reuters said that the data contained “names, social security numbers, addresses, and some banking information.” The letter said the breach had been carried out by a “threat actor exploiting a vulnerability in an externally provided platform” but didn’t delve into specifics.

GAO spokesperson Chuck Young said his agency was notified about the breach on Jan. 17 but referred questions about its impact to CGI. CGI Federal did not immediately return messages seeking comment.

CGI, which has pivoted toward cybersecurity in recent years, has a host of contracts with the federal government. In recent congressional testimony, a CGI official said that the company has provided IT protection for “100 participating agencies” through the U.S. cybersecurity agency tasked with protecting federal networks.

In the same testimony, GCI said it provided cybersecurity services the State, Justice, Commerce, and Labor departments as well as the Federal Communications Commission and the United States Agency for International Development.

The cybersecurity agency did not immediately respond to a request for comment about CGI. The FBI did not immediately return emails.

(Reporting by Raphael Satter. Additional reporting by Christopher Bing and Douglas Gillison in Washington; Editing by Cynthia Osterman and Lisa Shumaker)