Incident Types: The types of cybersecurity incidents that have occurred include Data Leak, Cyber Attack, Vulnerability, Breach and Ransomware.

Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with notification letters sent to affected individuals, remediation measures with additional security measures implemented to restrict access to information, and containment measures with improved detection and response capabilities, containment measures with local law enforcement training, containment measures with technology deployment, and and and containment measures with auditing rdp usage, containment measures with disabling command-line scripting, containment measures with restricting powershell, and remediation measures with enforcing strong authentication (e.g., mfa), remediation measures with patching vulnerable systems, and communication strategy with warnings issued by cisa, fbi, and acsc, and communication strategy with foia disclosure (dhs memo), communication strategy with media reports (wired), and network segmentation with recommended as corrective action, and enhanced monitoring with recommended as corrective action, and third party assistance with cyber threat alliance (information-sharing coordination), third party assistance with internet security alliance (advocacy for policy updates), and remediation measures with sen. gary peters' 10-year cisa 2015 reauthorization bill (protecting america from cyber threats act), remediation measures with house homeland security committee's 10-year extension bill (sponsored by rep. andrew garbarino), remediation measures with proposed updates to cyber-threat indicator definitions (e.g., supply chain, ai threats), remediation measures with incentives for sharing single-point-of-failure data (proposed by internet security alliance), and recovery measures with short-term extensions via continuing resolution (cr) in house/senate bills, recovery measures with potential inclusion in larger legislative vehicles, and communication strategy with sen. peters' public warnings about national/economic security risks, communication strategy with media outreach by cyber threat alliance and internet security alliance, communication strategy with house democratic staffer comments on program success in state/local governments, and communication strategy with public warnings by cybersecurity experts, communication strategy with media coverage highlighting risks, and enhanced monitoring with heightened alert about cybersecurity posture of mobile devices, and law enforcement notified with yes..

Common Attack Types: The most common types of attacks the company has faced is Cyber Attack.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Email Account, RDP credentials (phishing or purchased from IABs) and Misconfigured HSIN-Intel Platform (DHS)Unsecured Database (2025 Breach).

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personally Identifiable Information (Pii), Job Titles, Phone Numbers, Email Addresses, , Personally Identifiable Information, , Call Logs, Recordings, Potential Location Information, , Intelligence Reports (Dhs), User Credentials (Plain Text), Bank Account Details, Health Data, Government Portal Access, , Credentials, Sensitive Data and .

Third-Party Assistance: The company involves third-party assistance in incident response through Cyber Threat Alliance (information-sharing coordination), Internet Security Alliance (advocacy for policy updates), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Notification letters sent to affected individuals, Additional security measures implemented to restrict access to information, , enforcing strong authentication (e.g., MFA), patching vulnerable systems, , Sen. Gary Peters' 10-year CISA 2015 reauthorization bill (Protecting America from Cyber Threats Act), House Homeland Security Committee's 10-year extension bill (sponsored by Rep. Andrew Garbarino), Proposed updates to cyber-threat indicator definitions (e.g., supply chain, AI threats), Incentives for sharing single-point-of-failure data (proposed by Internet Security Alliance), .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by improved detection and response capabilities, local law enforcement training, technology deployment, , auditing rdp usage, disabling command-line scripting, restricting powershell and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Short-term extensions via Continuing Resolution (CR) in House/Senate bills, Potential inclusion in larger legislative vehicles, .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Pending Extradition to the US, Indictment, Conspiracy charges, Fraud charges, Identity theft charges, .

Key Lessons Learned: The key lessons learned from past incidents are Urgent action and cooperation between federal and local agencies are necessary to ensure public safety and preserve critical infrastructure.RDP remains a high-risk attack vector if not properly secured.,Disabling antivirus processes via PowerShell is a common evasion tactic.,Initial access brokers play a key role in facilitating ransomware attacks.,Shift from encryption to extortion highlights the need for data protection beyond backups.Misconfigurations are systemic failures tied to people, process, and policy—not just technical oversights.,Overly permissive IAM policies and lack of segmentation enable broad unauthorized access.,Publicly exposed storage buckets/databases with sensitive data create high-risk vectors.,Plain-text credential storage exacerbates identity theft and fraud risks.,Cloud drift and lack of context in security tools lead to alert fatigue and missed critical issues.,Developer workflows (e.g., CI/CD pipelines) can propagate misconfigurations at scale.Short-term legislative patches are insufficient for cybersecurity operations requiring long-term certainty.,Political objections (e.g., Sen. Rand Paul's conflation of CISA 2015 with the CISA agency) can derail critical cybersecurity measures.,Corporate legal teams may hesitate to share threat data without liability protections, even if operational teams support collaboration.,State/local cybersecurity grants have tangible impacts on community resilience (e.g., schools, hospitals).,CISA's reduced staffing during shutdowns creates systemic vulnerability to major incidents.Politicization of cybersecurity agencies undermines national defense capabilities.,Workforce reductions in critical agencies create exploitable vulnerabilities during high-threat periods.,Budget cuts to threat intelligence and infrastructure protection increase systemic risks.,Public-private partnerships require stable, well-funded government coordination to be effective.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Review CISA's role as a sector risk management agency for the telecommunications industry; Justify the Mobile App Vetting Program's termination and detail CISA's updated plan for the telecommunications industry.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: CISA Ransomware Vulnerability Warning Pilot (RVWP) ProgramUrl: https://www.cisa.gov/stopransomware, and Source: Motherboard, and Source: AFP, and Source: CISA Advisory on BianLian Ransomware, and Source: FBI Warning on BianLian Extortion Tactics, and Source: ACSC Alert on BianLian Threat, and Source: Avast Decryption Tool Release (2023), and Source: WIREDUrl: https://www.wired.com/story/dhs-data-hub-exposed-sensitive-intel-unauthorized-users/Date Accessed: 2023-06-01, and Source: Jeremiah Fowler (Cybersecurity Researcher)Date Accessed: 2025-06-01, and Source: Wiz Academy - Top 11 Cloud Security VulnerabilitiesUrl: https://www.wiz.io/academy/top-cloud-vulnerabilities, and Source: CrowdStrike - Common Cloud MisconfigurationsUrl: https://www.crowdstrike.com/blog/common-cloud-misconfigurations/Date Accessed: 2023-01-01, and Source: SentinelOne - Cloud Misconfiguration PreventionUrl: https://www.sentinelone.com/blog/cloud-misconfigurations/, and Source: SecPod - Top 10 Cloud MisconfigurationsUrl: https://www.secpod.com/blog/top-cloud-misconfigurations/, and Source: Politico, and Source: Sen. Gary Peters (D-MI) statements, and Source: Cyber Threat Alliance (Michael Daniel), and Source: Internet Security Alliance (Larry Clinton), and Source: House Homeland Security Committee, and Source: ClearanceJobs, and Source: SOCRadar (Ensar Seker, CISO), and Source: CISA, NSA, Canadian Centre for Cyber Security, and Source: Google security researchers, and Source: CyberScoop, and Source: US Department of Justice, and Source: Reward for Justice (US State Department), and Source: Courthouse News.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Warnings Issued By Cisa, Fbi, And Acsc, Foia Disclosure (Dhs Memo), Media Reports (Wired), Sen. Peters' Public Warnings About National/Economic Security Risks, Media Outreach By Cyber Threat Alliance And Internet Security Alliance, House Democratic Staffer Comments On Program Success In State/Local Governments, Public Warnings By Cybersecurity Experts and Media Coverage Highlighting Risks.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Cisa, Fbi, Acsc, Foia Memo (Dhs), Media Statements, None (Dhs), Recommended Password Resets For 184M Affected Users (2025 Breach), , Sen. Peters' Warnings To Reporters About National Security Risks., Cyber Threat Alliance And Internet Security Alliance Statements On Information-Sharing Impacts., House Homeland Security Committee Republican Aide Comments On Cr Extensions., House Democratic Staffer Remarks On State/Local Grant Program Success., Cybersecurity Experts Warn Of Increased Risks Due To Cisa'S Reduced Capacity. and Private Sector Partners Advised To Bolster Independent Defenses Amid Government Instability..

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Recommended As Corrective Action, , Cyber Threat Alliance (Information-Sharing Coordination), Internet Security Alliance (Advocacy For Policy Updates), , Heightened alert about cybersecurity posture of mobile devices.

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Improve Detection And Response Capabilities, Enhance Local Law Enforcement Training, Deploy Advanced Technologies To Mitigate Drone Threats, , Enforce Mfa For All Remote Access., Disable Unnecessary Rdp Exposure To The Internet., Restrict Powershell To Administrative Use Only., Deploy Endpoint Detection And Response (Edr) Tools To Monitor For Malicious Activity., Conduct Regular Audits Of High-Privilege Accounts., , Revised Iam Policies With Least-Privilege Principles., Implemented Network Segmentation For Hsin Platforms., Enabled Centralized Logging And Monitoring (Dhs)., Mandated Encryption For Sensitive Data (Post-2025 Breach)., Conducted Staff Training On Secure Cloud Configurations., Deployed Automated Misconfiguration Detection Tools., Established Regular Audits For Public-Facing Resources., , Bipartisan Negotiation To Separate Cisa 2015 Reauthorization From Unrelated Political Disputes., Development Of A Dedicated Legislative Process For Cybersecurity Updates (E.G., 5-Year Review Cycles)., Expansion Of Cisa'S Shutdown-Exempt Staff To Maintain Core Functions., Public-Private Working Groups To Modernize Threat-Sharing Frameworks (E.G., Ai, Systemic Risks)., State/Local Cybersecurity Coalitions To Sustain Grant-Funded Initiatives During Federal Lapses., , Restoration Of Cisa'S Workforce And Budget To Pre-Cut Levels., Depoliticization Of Agency Operations To Refocus On Cybersecurity., Reinstatement Of Eliminated Subdivisions (E.G., Chemical Security)., Stronger Legislative Protections For Cybersecurity Agencies During Government Shutdowns., Increased Transparency In Communicating Risks To Stakeholders., .

Last Ransom Demanded: The amount of the last ransom demanded was True.

Last Attacking Group: The attacking group in the last incident were an Hacker, Heritage Foundation, Heritage Foundation's Project 2025, Political ClimateTrump Administration, Political Leadership Changes, Beijing, Unnamed Ransomware Gang, BianLian ransomware group, Nation-State ActorsCybercriminalsHacktivistsOpportunistic Hackers, Chinese hackers, Salt Typhoon and NoName057(16)CyberArmyofRussia_Reborn (CARR)GRU (Russian Military Intelligence).

Most Recent Incident Detected: The most recent incident detected was on 2023-06-21.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-10-01.

Most Significant Data Compromised: The most significant data compromised in an incident were 200GB of data, including records of 20,000 FBI workers and 9,000 DHS employees, Information about DHS security experts, programme analysts, IT, infosec, and security, as well as 100 individuals who hold the title of intelligence, , Employee names, Social Security numbers, Dates of birth, Positions, Grades, Duty locations, , call logs, recordings, potential location information, , , Sensitive Intelligence (DHS), 184M User Records (2025 Breach), Plain-Text Credentials (Apple, Google, Meta, etc.), Bank Accounts, Health Platforms, Government Portals, , Credentials and sensitive data.

Most Significant System Affected: The most significant system affected in an incident were DHS OIG Case Management System and and HSIN-Intel Platform (DHS)Unsecured Database (2025 Breach) and Critical Infrastructure (e.g., power grids, water treatment plants)Federal Cyber Defense SystemsThreat Intelligence Sharing Platforms and WindowsVMware vSphere and and Water systemsFood supply chainsPublic servicesMeat processing facilitiesGovernment websites.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was cyber threat alliance (information-sharing coordination), internet security alliance (advocacy for policy updates), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Improved detection and response capabilitiesLocal law enforcement trainingTechnology deployment and auditing RDP usagedisabling command-line scriptingrestricting PowerShell.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Duty locations, call logs, Sensitive Intelligence (DHS), recordings, Information about DHS security experts, programme analysts, IT, infosec, and security, as well as 100 individuals who hold the title of intelligence, 200GB of data, including records of 20,000 FBI workers and 9,000 DHS employees, Bank Accounts, 184M User Records (2025 Breach), Grades, potential location information, Government Portals, Health Platforms, Credentials, sensitive data, Employee names, Plain-Text Credentials (Apple, Google, Meta, etc.), Positions, Social Security numbers and Dates of birth.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 184.0M.

Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was True.

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Pending Extradition to the US, Indictment, Conspiracy charges, Fraud charges, Identity theft charges, .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Public-private partnerships require stable, well-funded government coordination to be effective.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Enable **centralized logging and monitoring** with context-aware alerts., Encrypt **data at rest and in transit** (avoid plain-text storage)., Deploy advanced technologies to mitigate drone threats, Enhance public awareness of the risks posed by CISA's reduced capacity., Pass a 10-year reauthorization of CISA 2015 with retroactive protections to Oct. 1, 2023., Regularly update and patch remote management software., Incentivize sharing of single-point-of-failure data to address systemic risks., Review CISA's role as a sector risk management agency for the telecommunications industry; Justify the Mobile App Vetting Program's termination and detail CISA's updated plan for the telecommunications industry, Restore full funding for CISA to avoid operational gaps during shutdowns., Train staff on **secure cloud deployment practices** (e.g., Infrastructure as Code templates)., Enforce **multi-factor authentication (MFA)** on all admin accounts., Address **shadow IT** with discovery tools and governance policies., Enhance local law enforcement training, Prioritize retention of key divisions like ISD and SED to maintain critical infrastructure protection., Restrict PowerShell and command-line scripting to limit attacker lateral movement., Prioritize **human-centric security** (training, process improvements) alongside technical controls., Educate employees on phishing risks to prevent credential theft., Use **automated policy-as-code tools** (e.g., Terraform, Open Policy Agent) to prevent drift., Clarify distinctions between CISA (the agency) and CISA 2015 (the law) to address political misconceptions., Segment networks to **limit lateral movement** in case of breaches., Develop contingency plans for government shutdowns to minimize disruptions to cyber defense., Establish bipartisan task forces to depoliticize cybersecurity legislation., Implement strong authentication practices across all critical systems., Modernize the definition of 'cyber-threat indicators' to include supply chain and AI-related threats., Monitor for unusual data exfiltration patterns., Implement **least-privilege access** and **just-in-time permissions** for IAM roles., Audit and secure RDP access with MFA and network segmentation., Conduct **regular audits** of public-facing storage (buckets, databases, APIs)., Restore and increase funding for CISA to address workforce shortages and operational gaps., Reauthorize the State and Local Cybersecurity Grant Program for 10 years, with provisions for AI-system support., Avoid politicizing CISA's mission to ensure bipartisan support for cybersecurity. and Improve detection and response capabilities.

Most Recent Source: The most recent source of information about an incident are Sen. Gary Peters (D-MI) statements, Motherboard, ACSC Alert on BianLian Threat, SecPod - Top 10 Cloud Misconfigurations, Google security researchers, ClearanceJobs, House Homeland Security Committee, SOCRadar (Ensar Seker, CISO), AFP, Avast Decryption Tool Release (2023), Courthouse News, CISA, NSA, Canadian Centre for Cyber Security, Cyber Threat Alliance (Michael Daniel), CISA Ransomware Vulnerability Warning Pilot (RVWP) Program, Reward for Justice (US State Department), Wiz Academy - Top 11 Cloud Security Vulnerabilities, CyberScoop, Politico, FBI Warning on BianLian Extortion Tactics, Jeremiah Fowler (Cybersecurity Researcher), US Department of Justice, CrowdStrike - Common Cloud Misconfigurations, Internet Security Alliance (Larry Clinton), CISA Advisory on BianLian Ransomware, WIRED and SentinelOne - Cloud Misconfiguration Prevention.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.cisa.gov/stopransomware, https://www.wired.com/story/dhs-data-hub-exposed-sensitive-intel-unauthorized-users/, https://www.wiz.io/academy/top-cloud-vulnerabilities, https://www.crowdstrike.com/blog/common-cloud-misconfigurations/, https://www.sentinelone.com/blog/cloud-misconfigurations/, https://www.secpod.com/blog/top-cloud-misconfigurations/ .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was CISA, FBI, ACSC, FOIA Memo (DHS), Media Statements, Sen. Peters' warnings to reporters about national security risks., Cyber Threat Alliance and Internet Security Alliance statements on information-sharing impacts., House Homeland Security Committee Republican aide comments on CR extensions., House Democratic staffer remarks on state/local grant program success., Cybersecurity experts warn of increased risks due to CISA's reduced capacity., Private sector partners advised to bolster independent defenses amid government instability., .

Most Recent Customer Advisory: The most recent customer advisory issued was an None (DHS)Recommended Password Resets for 184M Affected Users (2025 Breach).

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Email Account and RDP credentials (phishing or purchased from IABs).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Lack of adequate detection and response capabilities for drone threats, Weak or stolen RDP credentialsLack of MFA on critical access pointsUnrestricted use of PowerShell for scriptingInsufficient monitoring for data exfiltration, Overly permissive IAM policies ('everyone' access).Lack of network segmentation (DHS).Disabled logging/missing alerts (no detection of unauthorized access).Human error in access configuration (HSIN-Intel).Plain-text storage of credentials (2025 Breach).Complex cloud architectures without adequate governance.Shadow IT/unmonitored accounts (potential factor).Inadequate policy-as-code enforcement., Political gridlock preventing timely reauthorization of critical cybersecurity programs.Conflation of CISA 2015 (law) with CISA (agency) by key senators (e.g., Rand Paul).Over-reliance on short-term Continuing Resolutions for long-term cybersecurity needs.Lack of clear legislative vehicles for updating CISA 2015's threat definitions (e.g., AI, supply chain).Insufficient contingency planning for CISA operations during government shutdowns., Government shutdown leading to furloughs and layoffs at CISA.Political disputes redirecting agency focus away from core cybersecurity missions.Budget cuts targeting critical divisions (e.g., ISD, SED).High attrition rate (1,000+ employees left in 2023).Perceived mission creep (e.g., misinformation efforts) distracting from cybersecurity priorities., Advanced malware (BRICKSTORM) with obfuscation and persistence features, State-sponsored cyber warfareGeopolitical conflict exploitation.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Improve detection and response capabilitiesEnhance local law enforcement trainingDeploy advanced technologies to mitigate drone threats, Enforce MFA for all remote access.Disable unnecessary RDP exposure to the internet.Restrict PowerShell to administrative use only.Deploy endpoint detection and response (EDR) tools to monitor for malicious activity.Conduct regular audits of high-privilege accounts., Revised IAM policies with least-privilege principles.Implemented network segmentation for HSIN platforms.Enabled centralized logging and monitoring (DHS).Mandated encryption for sensitive data (post-2025 Breach).Conducted staff training on secure cloud configurations.Deployed automated misconfiguration detection tools.Established regular audits for public-facing resources., Bipartisan negotiation to separate CISA 2015 reauthorization from unrelated political disputes.Development of a dedicated legislative process for cybersecurity updates (e.g., 5-year review cycles).Expansion of CISA's shutdown-exempt staff to maintain core functions.Public-private working groups to modernize threat-sharing frameworks (e.g., AI, systemic risks).State/local cybersecurity coalitions to sustain grant-funded initiatives during federal lapses., Restoration of CISA's workforce and budget to pre-cut levels.Depoliticization of agency operations to refocus on cybersecurity.Reinstatement of eliminated subdivisions (e.g., Chemical Security).Stronger legislative protections for cybersecurity agencies during government shutdowns.Increased transparency in communicating risks to stakeholders..