A large-scale cyber breach targeted FEMA (Federal Emergency Management Agency) over several weeks, compromising its network and exposing sensitive employee data from both FEMA and Customs and Border Protection (CBP). The attacker exploited vulnerabilities in Citrix remote access software, gaining deep access across regions including New Mexico, Texas, and Louisiana. While initial claims by Homeland Security Secretary Kristi Noem stated no sensitive data was extracted, internal documents later confirmed the theft of FEMA and CBP employee data, affecting over 250,000 employees and raising concerns about DHS’s cybersecurity capabilities. The breach led to the dismissal of 20 FEMA IT workers, including senior leaders, accused of security failures. Remediation efforts spanned months, with DHS and FEMA struggling to contain the intrusion until at least September 2025. The attack underscored systemic vulnerabilities in federal network defenses, prompting emergency directives to strengthen protections against advanced hacker groups. The incident remains under investigation, with no confirmed attribution or link to broader espionage campaigns.

An unidentified hacker executed a months-long breach targeting FEMA’s computer network, compromising sensitive data of Customs and Border Protection (CBP) and FEMA employees across a region spanning New Mexico, Texas, and Louisiana. The attacker exploited vulnerabilities in Citrix remote-access software, gaining deep access to operational systems. Despite initial containment efforts by DHS in mid-July, remediation extended into September, with confirmations that employee data was stolen, contradicting earlier official denials. The breach led to the firing of 24 FEMA IT staff, including top executives, amid accusations of 'severe security lapses.' The incident exposed systemic weaknesses in DHS’s cybersecurity posture, raising concerns about the protection of over 250,000 employees’ information and potential broader threats to national security. The attacker’s identity and motives remain unknown, though the prolonged intrusion suggests targeted espionage or data exfiltration for malicious use.

A hacker infiltrated FEMA’s computer networks via compromised credentials in Citrix Systems’ remote desktop software, gaining unauthorized access for nearly two months (June 22 to August 5). The breach targeted FEMA Region 6 (covering Arkansas, Louisiana, New Mexico, Oklahoma, and Texas) and compromised employee identity data from both FEMA and U.S. Customs and Border Protection (CBP), another DHS component. The attacker exploited weak security measures, including the absence of multifactor authentication (MFA), to move laterally across the network, install VPN software, and exfiltrate data from Microsoft Active Directory, which manages access controls. The incident led to the termination of two dozen FEMA employees, including IT executives, after DHS Secretary Kristi Noem cited systemic failures like agencywide MFA gaps and 'incompetence' in cybersecurity protocols. While initial statements claimed no sensitive citizen data was stolen, investigations confirmed the theft of federal employee identity information. The breach underscored vulnerabilities in critical government infrastructure, though officials asserted no direct harm to American citizens occurred. The attack’s duration and depth raised concerns about persistent threats to federal agencies, compounded by a separate disclosure of hackers exploiting Cisco firewall devices in U.S. government systems around the same period.

A hacker infiltrated FEMA’s computer networks via compromised Citrix remote desktop credentials, maintaining unauthorized access from June 22 to August 5, 2024. The breach targeted FEMA Region 6 (covering Arkansas, Louisiana, New Mexico, Oklahoma, and Texas) and involved the theft of employee identity data from FEMA and U.S. Customs and Border Protection (CBP). The attacker exploited weak security controls, including the absence of multifactor authentication (MFA), to move laterally across the network, install VPN software, and exfiltrate data from Active Directory.The incident led to the termination of 24 FEMA employees, including IT executives, after an investigation revealed systemic failures in cybersecurity protocols. While initial statements claimed no sensitive data was stolen, a DHS internal review confirmed the theft of federal employee identity information. The breach underscored vulnerabilities in government cybersecurity, compounded by a separate disclosure of hackers exploiting Cisco firewall devices in U.S. agencies, though no direct link to the FEMA attack was established.

FEMA suffered a cyberattack in June 2024 where threat actors exploited CitrixBleed 2 (CVSS 9.3) via stolen credentials to breach its Citrix Netscaler ADC/Gateway, bypassing MFA. Attackers exfiltrated data from Region 6 servers (covering Arkansas, Louisiana, New Mexico, Oklahoma, Texas), including sensitive government and citizen information. The breach remained undetected until July, despite prior CISA warnings about active exploitation. FEMA initially denied data loss but later evidence confirmed unauthorized uploads. The incident led to the termination of the CISO, CIO, and 22 staff for negligence, including falsified security audits. Remediation included forced password resets, MFA enforcement, and a complete IT overhaul. The attack exposed systemic failures in patch management and incident response, risking national security data, emergency response capabilities, and public trust in a critical federal agency.

FEMA stated that they mistakenly exposed the personal information, including addresses and bank account information, of 2.3 million disaster victims. The breach occurred because FEMA did not ensure a private contractor only received the information it required to perform its official duties. The victims affected include survivors of Hurricanes Harvey, Irma, and Maria and the 2017 California wildfires. The report found FEMA's failure to protect their data put them at risk of identity theft and fraud. According to the report, some of the data collected, such as addresses and Social Security numbers, were necessary to give aid. but other information, like electronic bank account information, was not considered necessary.