Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack, Ransomware, Breach, Data Leak and Vulnerability.

Total Financial Loss: The total financial loss from these incidents is estimated to be $100 billion.

Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with notification letters sent to affected individuals, remediation measures with additional security measures implemented to restrict access to information, and containment measures with improved detection and response capabilities, containment measures with local law enforcement training, containment measures with technology deployment, and and and containment measures with auditing rdp usage, containment measures with disabling command-line scripting, containment measures with restricting powershell, and remediation measures with enforcing strong authentication (e.g., mfa), remediation measures with patching vulnerable systems, and communication strategy with warnings issued by cisa, fbi, and acsc, and incident response plan activated with yes (internal memo via brennan center for justice), and third party assistance with brennan center for justice (via foia disclosure), and communication strategy with limited (internal memo obtained via foia; no public statement detailed), and and and containment measures with disconnected citrix remote access tool (2023-07-16), containment measures with enforced multifactor authentication, and communication strategy with public statement by dhs secretary (2023-08-29), communication strategy with media disclosures (bloomberg, nextgov/fcw), and incident response plan activated with yes (dhs it leadership urgent action), and law enforcement notified with likely (no explicit confirmation), and containment measures with localization of breach (mid-july 2025), containment measures with network segmentation, containment measures with access revocation, and remediation measures with ongoing as of september 5, 2025, remediation measures with emergency directive for federal network hardening, remediation measures with identity management reforms, and communication strategy with internal fema staff updates, communication strategy with public statements by homeland security secretary kristi noem, communication strategy with media coverage (cnn), and network segmentation with implemented post-breach, and enhanced monitoring with yes (focus on remote access vulnerabilities), and and and containment measures with disconnection of citrix remote access tool (2025-07-16), containment measures with enforcement of multifactor authentication (mfa), and communication strategy with public statement by dhs secretary kristi noem (2025-08-29), communication strategy with media disclosures (bloomberg, nextgov/fcw), and incident response plan activated with yes (dhs task force formed), and law enforcement notified with likely (internal dhs investigation), and containment measures with initial efforts launched mid-july 2023, containment measures with ongoing remediation as of september 5, 2023, and remediation measures with cleanup operation by dhs it officials, remediation measures with firing of 24 fema it employees, and communication strategy with internal fema staff updates, communication strategy with public statement by dhs secretary kristi noem (august 29, 2023), and communication strategy with foia disclosure (dhs memo), communication strategy with media reports (wired), and network segmentation with recommended as corrective action, and enhanced monitoring with recommended as corrective action, and incident response plan activated with yes (post-discovery), and containment measures with password resets, containment measures with multi-factor authentication (mfa) enforcement, and remediation measures with it staff overhaul, remediation measures with new security personnel hired, and communication strategy with public disclosure of terminations (but initially denied data loss), and third party assistance with cyber threat alliance (information-sharing coordination), third party assistance with internet security alliance (advocacy for policy updates), and remediation measures with sen. gary peters' 10-year cisa 2015 reauthorization bill (protecting america from cyber threats act), remediation measures with house homeland security committee's 10-year extension bill (sponsored by rep. andrew garbarino), remediation measures with proposed updates to cyber-threat indicator definitions (e.g., supply chain, ai threats), remediation measures with incentives for sharing single-point-of-failure data (proposed by internet security alliance), and recovery measures with short-term extensions via continuing resolution (cr) in house/senate bills, recovery measures with potential inclusion in larger legislative vehicles, and communication strategy with sen. peters' public warnings about national/economic security risks, communication strategy with media outreach by cyber threat alliance and internet security alliance, communication strategy with house democratic staffer comments on program success in state/local governments, and communication strategy with public warnings by cybersecurity experts, communication strategy with media coverage highlighting risks, and third party assistance with identity protection services, third party assistance with credit monitoring services, and containment measures with ssn lock via ssa or e-verify, containment measures with credit freeze via credit bureaus, containment measures with irs identity protection pin, and remediation measures with monitoring financial accounts, remediation measures with dark web monitoring (via id theft protection services), remediation measures with white glove restoration services for identity recovery, and recovery measures with unlocking ssn for legitimate use (e.g., employment verification), recovery measures with temporary lift of credit freeze for authorized credit applications, and communication strategy with public advisory via cnet article, communication strategy with ssa and e-verify user notifications (e.g., lock expiration alerts), and enhanced monitoring with credit monitoring, enhanced monitoring with dark web monitoring for compromised pii, and and and containment measures with public service announcement (psa), containment measures with awareness campaign, containment measures with reporting via ic3 (internet crime complaint center), and remediation measures with password changes, remediation measures with multi-factor authentication (mfa) enforcement, remediation measures with account monitoring, and communication strategy with fbi psa, communication strategy with media outreach, communication strategy with direct warnings to potential targets, and enhanced monitoring with recommendation for individuals to monitor accounts, and enhanced monitoring with heightened alert about cybersecurity posture of mobile devices, and law enforcement notified with yes, and containment measures with immediate patch deployment, enforcement of robust password policies, continuous monitoring, and remediation measures with application of latest security patches, security audits, personnel training, and enhanced monitoring with deployment of continuous monitoring solutions, and communication strategy with dhs statement on risks to staff safety; public advisories on the breach, and containment measures with migration to more secure servers, and recovery measures with site resumed operations..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Email Account, RDP credentials (phishing or purchased from IABs), Citrix Systems Inc.’s Remote Desktop Software (Compromised Credentials), Citrix Remote Access Software (via government contractor), Citrix Systems Inc.’s Remote Desktop Software (Compromised Credentials), Citrix Remote Access Software, Misconfigured HSIN-Intel Platform (DHS)Unsecured Database (2025 Breach), Citrix System (via stolen credentials), SMS/MMS messagesvoice calls/voicemailsfake messaging platforms, Brute-force attacksPassword sprayingMFA fatigue (push bombing) and Exploiting vulnerabilities in public-facing applicationsInitial access brokers.

Average Financial Loss: The average financial loss per incident is $3.12 billion.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal Information, , Addresses, Bank Account Information, Social Security Numbers, , Personally Identifiable Information (Pii), Job Titles, Phone Numbers, Email Addresses, , Personally Identifiable Information, , Call Logs, Recordings, Potential Location Information, , Classified/Restricted Intelligence Products, Surveillance Data, Cyber Threat Intelligence, Law Enforcement Investigations, Domestic Protest Analysis, , Employee Identity Data, , Employee Records, Potentially Sensitive Operational Data, , Federal Employee Identity Data, , Employee Data (Fema/Cbp), , Intelligence Reports (Dhs), User Credentials (Plain Text), Bank Account Details, Health Data, Government Portal Access, , Social Security Numbers (Ssns), Potentially Other Pii In Unrelated Breaches, , Personal Identifiable Information (Pii), Credentials, Contact Lists, Potentially Sensitive Communications, , Credentials, Sensitive Data, , Credentials, Api Keys, Sensitive Data, , Personal Identifiable Information (Pii), Employment Data, , Personal and professional information of federal agents and Sensitive data (including personally identifiable information).

Incident Response Plan: The company's incident response plan is described as Yes (internal memo via Brennan Center for Justice), , Yes (DHS IT leadership urgent action), , Yes (DHS Task Force formed), Yes (post-discovery), .

Third-Party Assistance: The company involves third-party assistance in incident response through Brennan Center for Justice (via FOIA disclosure), , Cyber Threat Alliance (information-sharing coordination), Internet Security Alliance (advocacy for policy updates), , Identity Protection Services, Credit Monitoring Services, .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Notification letters sent to affected individuals, Additional security measures implemented to restrict access to information, , enforcing strong authentication (e.g., MFA), patching vulnerable systems, , Ongoing as of September 5, 2025, Emergency Directive for Federal Network Hardening, Identity Management Reforms, , Cleanup operation by DHS IT officials, Firing of 24 FEMA IT employees, , IT staff overhaul, New security personnel hired, , Sen. Gary Peters' 10-year CISA 2015 reauthorization bill (Protecting America from Cyber Threats Act), House Homeland Security Committee's 10-year extension bill (sponsored by Rep. Andrew Garbarino), Proposed updates to cyber-threat indicator definitions (e.g., supply chain, AI threats), Incentives for sharing single-point-of-failure data (proposed by Internet Security Alliance), , Monitoring financial accounts, Dark web monitoring (via ID theft protection services), White glove restoration services for identity recovery, , password changes, multi-factor authentication (MFA) enforcement, account monitoring, , Application of latest security patches, security audits, personnel training.

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by improved detection and response capabilities, local law enforcement training, technology deployment, , auditing rdp usage, disabling command-line scripting, restricting powershell, , disconnected citrix remote access tool (2023-07-16), enforced multifactor authentication, , localization of breach (mid-july 2025), network segmentation, access revocation, , disconnection of citrix remote access tool (2025-07-16), enforcement of multifactor authentication (mfa), , initial efforts launched mid-july 2023, ongoing remediation as of september 5, 2023, , password resets, multi-factor authentication (mfa) enforcement, , ssn lock via ssa or e-verify, credit freeze via credit bureaus, irs identity protection pin, , public service announcement (psa), awareness campaign, reporting via ic3 (internet crime complaint center), , immediate patch deployment, enforcement of robust password policies, continuous monitoring and migration to more secure servers.

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Short-term extensions via Continuing Resolution (CR) in House/Senate bills, Potential inclusion in larger legislative vehicles, , Unlocking SSN for legitimate use (e.g., employment verification), Temporary lift of credit freeze for authorized credit applications, , Site resumed operations.

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Pending Extradition to the US, Termination of 24 FEMA Employees (Including IT Leadership), , Personnel Dismissals (20 IT workers), Administrative Leave for Others, , Termination of 24 FEMA Employees (Including IT Executives), , Internal disciplinary actions (24 employees fired), , Indictment, Conspiracy charges, Fraud charges, Identity theft charges, .

Key Lessons Learned: The key lessons learned from past incidents are Ensure that only necessary data is shared with contractors to perform their official duties.Urgent action and cooperation between federal and local agencies are necessary to ensure public safety and preserve critical infrastructure.RDP remains a high-risk attack vector if not properly secured.,Disabling antivirus processes via PowerShell is a common evasion tactic.,Initial access brokers play a key role in facilitating ransomware attacks.,Shift from encryption to extortion highlights the need for data protection beyond backups.Critical gaps in access controls and platform configuration within high-security government systems; need for stricter auditing of user permissions and real-time monitoring of sensitive data hubs.Critical need for multifactor authentication (MFA) across all systems.,Vulnerabilities in third-party remote access tools (e.g., Citrix) require proactive monitoring.,Lateral movement risks in Active Directory highlight the need for segmentation and access controls.,Delayed detection (hacker active for ~45 days) underscores gaps in continuous threat monitoring.Critical vulnerabilities in remote access systems (e.g., Citrix) require immediate patching and monitoring.,Personnel changes without transparent justification can undermine morale and operational trust.,Contradictory public statements (e.g., data exfiltration denials) erode credibility during crises.,Federal agencies must prioritize network segmentation and identity management to limit lateral movement.Critical importance of enforcing multifactor authentication (MFA) agencywide.,Need for robust monitoring of third-party remote access tools (e.g., Citrix).,Consequences of inadequate access controls in Active Directory.,Accountability for IT leadership failures in cybersecurity posture.Critical vulnerabilities in Citrix remote access software require urgent patching,Need for improved network segmentation and lateral movement detection,Political and operational risks of public contradictions in breach disclosuresMisconfigurations are systemic failures tied to people, process, and policy—not just technical oversights.,Overly permissive IAM policies and lack of segmentation enable broad unauthorized access.,Publicly exposed storage buckets/databases with sensitive data create high-risk vectors.,Plain-text credential storage exacerbates identity theft and fraud risks.,Cloud drift and lack of context in security tools lead to alert fatigue and missed critical issues.,Developer workflows (e.g., CI/CD pipelines) can propagate misconfigurations at scale.Critical vulnerabilities (e.g., CitrixBleed) must be patched promptly. Transparency in incident reporting is essential to maintain trust. Security preparedness claims must be audited rigorously to prevent misrepresentation.Short-term legislative patches are insufficient for cybersecurity operations requiring long-term certainty.,Political objections (e.g., Sen. Rand Paul's conflation of CISA 2015 with the CISA agency) can derail critical cybersecurity measures.,Corporate legal teams may hesitate to share threat data without liability protections, even if operational teams support collaboration.,State/local cybersecurity grants have tangible impacts on community resilience (e.g., schools, hospitals).,CISA's reduced staffing during shutdowns creates systemic vulnerability to major incidents.Politicization of cybersecurity agencies undermines national defense capabilities.,Workforce reductions in critical agencies create exploitable vulnerabilities during high-threat periods.,Budget cuts to threat intelligence and infrastructure protection increase systemic risks.,Public-private partnerships require stable, well-funded government coordination to be effective.Proactive measures like SSN locks and credit freezes can mitigate identity theft risks.,SSN locks are particularly effective against employment fraud but require manual management for legitimate use cases.,Layered defenses (e.g., SSN lock + credit freeze + IRS PIN) provide stronger protection.,Monitoring services (credit/dark web) add an extra layer of detection for compromised data.AI-powered scams are increasingly sophisticated and can bypass traditional skepticism.,Trust-based attacks exploit human psychology, requiring behavioral defenses (e.g., verification habits).,Publicly available data (e.g., LinkedIn, social media) fuels convincing impersonations.,Multi-factor authentication (MFA) is critical but must be paired with user education to prevent code-sharing.,Proactive communication from authorities can mitigate large-scale campaigns.Importance of maintaining robust and up-to-date cybersecurity defenses, regular security audits, and adherence to best security practices.Need for stronger internal accountability mechanisms within DHS; risks of whistleblower leaks in high-profile agencies; importance of protecting law enforcement personnel data.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Implement mandatory multi-factor authentication (MFA) for all remote access systems., Establish a unified communication protocol for breach disclosures to avoid conflicting narratives., Conduct regular security audits to uncover and resolve gaps or misconfigurations., Enforce robust and complex password policies., Harness advanced threat detection tools to proactively identify and counteract potential database attacks., Investigate the dismissals of FEMA IT leaders to ensure accountability is evidence-based., Implement strict data sharing policies and procedures to prevent oversharing of sensitive information., Immediately apply the latest security patches released by MongoDB developers., Provide training for personnel on best security practices., Deploy continuous monitoring solutions to detect abnormal database activity., Enhance collaboration with cybersecurity firms to proactively detect and mitigate advanced threats., Review CISA's role as a sector risk management agency for the telecommunications industry; Justify the Mobile App Vetting Program's termination and detail CISA's updated plan for the telecommunications industry, Conduct a third-party audit of DHS/FEMA cybersecurity posture and focusing on remote access and privilege management..

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: CISA Ransomware Vulnerability Warning Pilot (RVWP) ProgramUrl: https://www.cisa.gov/stopransomware, and Source: Motherboard, and Source: AFP, and Source: CISA Advisory on BianLian Ransomware, and Source: FBI Warning on BianLian Extortion Tactics, and Source: ACSC Alert on BianLian Threat, and Source: Avast Decryption Tool Release (2023), and Source: WIRED, and Source: Brennan Center for Justice (FOIA Obtained DHS Memo), and Source: Bloomberg News, and Source: Nextgov/FCW, and Source: DHS Public Statement (2023-08-29), and Source: CNNDate Accessed: 2025-09-12, and Source: Internal FEMA Document (reviewed by CNN)Date Accessed: 2025-09-10, and Source: DHS Emergency Directive (post-breach)Date Accessed: 2025-09, and Source: Statement by Homeland Security Secretary Kristi NoemDate Accessed: 2025-08-29, and Source: AFP/Getty Images (FEMA HQ photo)Url: https://www.gettyimages.com/detail/news-photo/fema-headquarters-is-pictured-in-washington-dc-on-february-news-photo/1238567890Date Accessed: 2025-02-11, and Source: Bloomberg NewsUrl: https://www.bloomberg.comDate Accessed: 2025-09-05, and Source: Nextgov/FCWUrl: https://www.nextgov.comDate Accessed: 2025-09-05, and Source: DHS Public Statement (Secretary Kristi Noem)Date Accessed: 2025-08-29, and Source: CNN, and Source: NextGov/FCW, and Source: DHS Public Statement (August 29, 2023), and Source: WIREDUrl: https://www.wired.com/story/dhs-data-hub-exposed-sensitive-intel-unauthorized-users/Date Accessed: 2023-06-01, and Source: Jeremiah Fowler (Cybersecurity Researcher)Date Accessed: 2025-06-01, and Source: Wiz Academy - Top 11 Cloud Security VulnerabilitiesUrl: https://www.wiz.io/academy/top-cloud-vulnerabilities, and Source: CrowdStrike - Common Cloud MisconfigurationsUrl: https://www.crowdstrike.com/blog/common-cloud-misconfigurations/Date Accessed: 2023-01-01, and Source: SentinelOne - Cloud Misconfiguration PreventionUrl: https://www.sentinelone.com/blog/cloud-misconfigurations/, and Source: SecPod - Top 10 Cloud MisconfigurationsUrl: https://www.secpod.com/blog/top-cloud-misconfigurations/, and Source: Nextgov, and Source: US Department of Homeland Security (DHS) Statement by Secretary Kristi Noem, and Source: Cybersecurity and Infrastructure Security Agency (CISA) Advisory on CitrixBleed, and Source: Politico, and Source: Sen. Gary Peters (D-MI) statements, and Source: Cyber Threat Alliance (Michael Daniel), and Source: Internet Security Alliance (Larry Clinton), and Source: House Homeland Security Committee, and Source: ClearanceJobs, and Source: SOCRadar (Ensar Seker, CISO), and Source: CNETUrl: https://www.cnet.com, and Source: Social Security Administration (SSA)Url: https://www.ssa.gov, and Source: E-Verify (USCIS)Url: https://www.e-verify.gov, and Source: IRS Identity Protection PINUrl: https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin, and Source: FBI Public Service Announcement (PSA)Url: https://www.ic3.gov, and Source: CISA, NSA, Canadian Centre for Cyber Security, and Source: Google security researchers, and Source: CyberScoop, and Source: US Department of Justice, and Source: Reward for Justice (US State Department), and Source: Courthouse News, and Source: CISA Directive, and Source: U.S. Department of Homeland Security (DHS) National Terrorism Advisory System bulletin, and Source: CISA, FBI, and DC3 advisory on Br0k3r threat group, and Source: The Daily Beast, and Source: Cyber Incident Description, and Source: CISA, FBI, MS-ISAC Joint AdvisoryDate Accessed: 2025-03-12, and Source: Symantec (Spearwing tracking).

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Warnings Issued By Cisa, Fbi, And Acsc, Limited (internal memo obtained via FOIA; no public statement detailed), Public Statement By Dhs Secretary (2023-08-29), Media Disclosures (Bloomberg, Nextgov/Fcw), Internal Fema Staff Updates, Public Statements By Homeland Security Secretary Kristi Noem, Media Coverage (Cnn), Public Statement By Dhs Secretary Kristi Noem (2025-08-29), Media Disclosures (Bloomberg, Nextgov/Fcw), Internal Fema Staff Updates, Public Statement By Dhs Secretary Kristi Noem (August 29, 2023), Foia Disclosure (Dhs Memo), Media Reports (Wired), Public disclosure of terminations (but initially denied data loss), Sen. Peters' Public Warnings About National/Economic Security Risks, Media Outreach By Cyber Threat Alliance And Internet Security Alliance, House Democratic Staffer Comments On Program Success In State/Local Governments, Public Warnings By Cybersecurity Experts, Media Coverage Highlighting Risks, Public Advisory Via Cnet Article, Ssa And E-Verify User Notifications (E.G., Lock Expiration Alerts), Fbi Psa, Media Outreach, Direct Warnings To Potential Targets and DHS statement on risks to staff safety; public advisories on the breach.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Cisa, Fbi, Acsc, Dhs Secretary’S Public Statement, Media Briefings, Internal Fema Staff Updates, Dhs Working Group Reports, Internal Fema Staff Updates, Dhs Task Force Findings, Foia Memo (Dhs), Media Statements, None (Dhs), Recommended Password Resets For 184M Affected Users (2025 Breach), , Sen. Peters' Warnings To Reporters About National Security Risks., Cyber Threat Alliance And Internet Security Alliance Statements On Information-Sharing Impacts., House Homeland Security Committee Republican Aide Comments On Cr Extensions., House Democratic Staffer Remarks On State/Local Grant Program Success., Cybersecurity Experts Warn Of Increased Risks Due To Cisa'S Reduced Capacity., Private Sector Partners Advised To Bolster Independent Defenses Amid Government Instability., General Public Advisory On Ssn Locking And Credit Freezing., Employers Using E-Verify May Encounter Locked Ssns During Hiring Processes., Individuals Should Weigh The Inconvenience Of Locking/Unlocking Ssns Against The Risk Of Identity Theft., Credit Freezes Do Not Affect Existing Credit Accounts But Require Planning For New Credit Applications., Irs Ip Pins Must Be Renewed Annually., , Fbi Psa Warning Senior Officials And Their Contacts, Recommendations For Public Vigilance, General Public Alert Via Media, Direct Outreach To Potential High-Value Targets, , CISA directive for U.S. federal agencies to address MongoBleed vulnerability. and DHS has warned about risks to staff safety due to the leak..

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Brennan Center For Justice (Via Foia Disclosure), , Yes (focus on remote access vulnerabilities), Recommended As Corrective Action, , Cyber Threat Alliance (Information-Sharing Coordination), Internet Security Alliance (Advocacy For Policy Updates), , Identity Protection Services, Credit Monitoring Services, , Credit Monitoring, Dark Web Monitoring For Compromised Pii, , Recommendation For Individuals To Monitor Accounts, , Heightened alert about cybersecurity posture of mobile devices, Deployment of continuous monitoring solutions.

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Review and tighten data sharing practices., Improve Detection And Response Capabilities, Enhance Local Law Enforcement Training, Deploy Advanced Technologies To Mitigate Drone Threats, , Enforce Mfa For All Remote Access., Disable Unnecessary Rdp Exposure To The Internet., Restrict Powershell To Administrative Use Only., Deploy Endpoint Detection And Response (Edr) Tools To Monitor For Malicious Activity., Conduct Regular Audits Of High-Privilege Accounts., , Enforced Mfa For Fema Region 6., Disconnected Vulnerable Citrix Remote Access Tool., Terminated It Leadership Responsible For Security Failures., Public Disclosure To Raise Awareness Of Risks., , Mandatory Network Segmentation And Least-Privilege Access Policies., Continuous Monitoring For Anomalous Activity, Especially In Remote Access Vectors., Review Of Personnel Practices To Align Dismissals With Evidence-Based Accountability., Transparency In Breach Communications To Maintain Public Trust., , Enforcement Of Mfa For All Fema Employees., Disconnection Of Compromised Citrix Tools., Termination Of Responsible It Personnel., Public Disclosure Of Cybersecurity Lapses To Drive Accountability., , Personnel Changes (24 It Employees Fired), Dhs Emergency Directive For Federal Agencies To Defend Against Similar Threats, , Revised Iam Policies With Least-Privilege Principles., Implemented Network Segmentation For Hsin Platforms., Enabled Centralized Logging And Monitoring (Dhs)., Mandated Encryption For Sensitive Data (Post-2025 Breach)., Conducted Staff Training On Secure Cloud Configurations., Deployed Automated Misconfiguration Detection Tools., Established Regular Audits For Public-Facing Resources., , Termination Of Incompetent Staff (Ciso, Cio, And 22 Others)., Hiring Of New It Security Personnel., Enforcement Of Mfa And Password Resets., Potential Restructuring Of Fema'S Cybersecurity Governance., , Bipartisan Negotiation To Separate Cisa 2015 Reauthorization From Unrelated Political Disputes., Development Of A Dedicated Legislative Process For Cybersecurity Updates (E.G., 5-Year Review Cycles)., Expansion Of Cisa'S Shutdown-Exempt Staff To Maintain Core Functions., Public-Private Working Groups To Modernize Threat-Sharing Frameworks (E.G., Ai, Systemic Risks)., State/Local Cybersecurity Coalitions To Sustain Grant-Funded Initiatives During Federal Lapses., , Restoration Of Cisa'S Workforce And Budget To Pre-Cut Levels., Depoliticization Of Agency Operations To Refocus On Cybersecurity., Reinstatement Of Eliminated Subdivisions (E.G., Chemical Security)., Stronger Legislative Protections For Cybersecurity Agencies During Government Shutdowns., Increased Transparency In Communicating Risks To Stakeholders., , Increase Public Awareness Of Ssn Locks And Credit Freezes., Simplify The Process For Locking/Unlocking Ssns (E.G., Extend E-Verify Lock Duration Beyond 1 Year)., Encourage Adoption Of Multi-Factor Authentication For Ssn-Related Services., Advocate For Reduced Reliance On Ssns As Universal Identifiers., , Fbi-Led Awareness Campaigns Targeting High-Risk Groups, Encouragement Of Mfa Adoption And Password Hygiene, Development Of Ai-Detection Tools For Voice/Video Calls, Policy Changes To Limit Public Exposure Of Official Contact Details, Enhanced Collaboration Between Government Agencies And Tech Platforms To Disrupt Scam Infrastructure, , Patch deployment, security audits, enhanced monitoring, personnel training, Migration to more secure servers.

Last Ransom Demanded: The amount of the last ransom demanded was True.

Last Attacking Group: The attacking group in the last incident were an Hacker, Heritage Foundation, Heritage Foundation's Project 2025, Political ClimateTrump Administration, Political Leadership Changes, Beijing, Unnamed Ransomware Gang, BianLian ransomware group, Unauthorized Government WorkersPrivate Sector EmployeesForeign Nationals, Unknown (suspected advanced hacker group), Unidentified (possibly advanced hacking group), Nation-State ActorsCybercriminalsHacktivistsOpportunistic Hackers, Identity Thieves / Fraudsters, Chinese hackers, Salt Typhoon, NoName057(16)CyberArmyofRussia_Reborn (CARR)GRU (Russian Military Intelligence), Iran-backed hacking groupsPro-Iranian hacktivistsBr0k3r (Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm), Department of Homeland Security Whistleblower, Unknown (suspected Russian bot farm) and Medusa (Spearwing).

Most Recent Incident Detected: The most recent incident detected was on 2023-06-21.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-03-12.

Most Recent Incident Resolved: The most recent incident resolved was on 2023-05-31.

Highest Financial Loss: The highest financial loss from an incident was Ransoms ranging from $100,000 to $15 million.

Most Significant Data Compromised: The most significant data compromised in an incident were names, birthdates, nationalities, locations, , Addresses, Bank Account Information, Social Security Numbers, , 200GB of data, including records of 20,000 FBI workers and 9,000 DHS employees, Information about DHS security experts, programme analysts, IT, infosec, and security, as well as 100 individuals who hold the title of intelligence, , Employee names, Social Security numbers, Dates of birth, Positions, Grades, Duty locations, , call logs, recordings, potential location information, , , Surveillance records of American citizens, Foreign hacking/disinformation campaigns, Law enforcement tips, Domestic protest examinations, Cybersecurity intelligence (39% of accessed products), , Federal Employee Identity Data (FEMA & CBP), , FEMA Employee Data, CBP Employee Data, , Federal Employee Identity Data (FEMA and CBP), , FEMA Employee Data, CBP Employee Data, , Sensitive Intelligence (DHS), 184M User Records (2025 Breach), Plain-Text Credentials (Apple, Google, Meta, etc.), Bank Accounts, Health Platforms, Government Portals, , Unknown (FEMA initially denied data loss, but documents suggest exfiltration occurred), Social Security Numbers (SSNs), Potential personally identifiable information (PII) in breaches, , personal information, login credentials, contact lists, potentially sensitive government communications, , Credentials, sensitive data, Credentials, API keys, sensitive data, Names, work emails, telephone numbers, roles, resumé data, previous jobs, Names, personal phone numbers, and work histories of ~4,500 ICE and Border Patrol employees and Sensitive data stolen before encryption.

Most Significant System Affected: The most significant system affected in an incident were DHS OIG Case Management System and and DHS Office of Intelligence and Analysis (I&A) PlatformHomeland Security Information Network (HSIN) and FEMA Region 6 ServersMicrosoft Active DirectoryCitrix Remote Desktop Tool and FEMA Computer NetworkDHS Systems (partial)Citrix Remote Access Infrastructure and FEMA Region 6 ServersMicrosoft Active DirectoryCitrix Remote Desktop Software and FEMA Computer Network (regional: New Mexico, Texas, Louisiana)Citrix Remote Access Software and HSIN-Intel Platform (DHS)Unsecured Database (2025 Breach) and Citrix SystemFEMA Region 6 Servers (Arkansas, Louisiana, New Mexico, Oklahoma, Texas) and Critical Infrastructure (e.g., power grids, water treatment plants)Federal Cyber Defense SystemsThreat Intelligence Sharing Platforms and WindowsVMware vSphere and and Water systemsFood supply chainsPublic servicesMeat processing facilitiesGovernment websites and and .

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was brennan center for justice (via foia disclosure), , cyber threat alliance (information-sharing coordination), internet security alliance (advocacy for policy updates), , identity protection services, credit monitoring services, .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Improved detection and response capabilitiesLocal law enforcement trainingTechnology deployment, auditing RDP usagedisabling command-line scriptingrestricting PowerShell, Disconnected Citrix Remote Access Tool (2023-07-16)Enforced Multifactor Authentication, Localization of Breach (mid-July 2025)Network SegmentationAccess Revocation, Disconnection of Citrix Remote Access Tool (2025-07-16)Enforcement of Multifactor Authentication (MFA), Initial efforts launched mid-July 2023Ongoing remediation as of September 5, 2023, Password resetsMulti-Factor Authentication (MFA) enforcement, SSN Lock via SSA or E-VerifyCredit Freeze via Credit BureausIRS Identity Protection PIN, public service announcement (PSA)awareness campaignreporting via IC3 (Internet Crime Complaint Center), Immediate patch deployment, enforcement of robust password policies, continuous monitoring and Migration to more secure servers.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Positions, 200GB of data, including records of 20,000 FBI workers and 9,000 DHS employees, Sensitive data stolen before encryption, potentially sensitive government communications, Dates of birth, Federal Employee Identity Data (FEMA & CBP), Health Platforms, birthdates, Foreign hacking/disinformation campaigns, Cybersecurity intelligence (39% of accessed products), potential location information, Credentials, API keys, sensitive data, Names, personal phone numbers, and work histories of ~4,500 ICE and Border Patrol employees, nationalities, Duty locations, Domestic protest examinations, Bank Account Information, 184M User Records (2025 Breach), personal information, Social Security numbers, CBP Employee Data, Social Security Numbers, Law enforcement tips, Federal Employee Identity Data (FEMA and CBP), Potential personally identifiable information (PII) in breaches, Addresses, Names, work emails, telephone numbers, roles, resumé data, previous jobs, Unknown (FEMA initially denied data loss, but documents suggest exfiltration occurred), recordings, login credentials, Grades, Employee names, contact lists, Information about DHS security experts, programme analysts, IT, infosec, and security, as well as 100 individuals who hold the title of intelligence, Credentials, sensitive data, FEMA Employee Data, names, Sensitive Intelligence (DHS), Government Portals, Social Security Numbers (SSNs), Plain-Text Credentials (Apple, Google, Meta, etc.), locations, Bank Accounts, call logs and Surveillance records of American citizens.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 184.3M.

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Pending Extradition to the US, Termination of 24 FEMA Employees (Including IT Leadership), , Personnel Dismissals (20 IT workers), Administrative Leave for Others, , Termination of 24 FEMA Employees (Including IT Executives), , Internal disciplinary actions (24 employees fired), , Indictment, Conspiracy charges, Fraud charges, Identity theft charges, .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Proactive communication from authorities can mitigate large-scale campaigns., Importance of maintaining robust and up-to-date cybersecurity defenses, regular security audits, and adherence to best security practices., Need for stronger internal accountability mechanisms within DHS; risks of whistleblower leaks in high-profile agencies; importance of protecting law enforcement personnel data.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Clarify distinctions between CISA (the agency) and CISA 2015 (the law) to address political misconceptions., Enforce **multi-factor authentication (MFA)** on all admin accounts., Modernize the definition of 'cyber-threat indicators' to include supply chain and AI-related threats., Enforce robust and complex password policies., Harness advanced threat detection tools to proactively identify and counteract potential database attacks., Improve detection and response capabilities, Implement centralized IT monitoring to detect anomalies., Restore full funding for CISA to avoid operational gaps during shutdowns., Share SSNs only when absolutely necessary and never in response to unsolicited requests., Implement stricter access controls for sensitive employee data within DHS., Lock your SSN via SSA or E-Verify to prevent employment fraud., Implement strict data sharing policies and procedures to prevent oversharing of sensitive information., Freeze credit with all three major bureaus (Experian, Equifax, TransUnion) to block unauthorized credit accounts., Public transparency reports for breaches impacting national security data., Encrypt **data at rest and in transit** (avoid plain-text storage)., Implement strong authentication practices across all critical systems., Conduct regular access reviews and privilege audits., Provide cybersecurity training for IT executives and staff., Mandate MFA for all remote access and privileged accounts., Review CISA's role as a sector risk management agency for the telecommunications industry; Justify the Mobile App Vetting Program's termination and detail CISA's updated plan for the telecommunications industry, Regularly update and patch remote management software., Immediate patching of known critical vulnerabilities (e.g., CitrixBleed, PAN-OS)., Monitor for unusual data exfiltration patterns., Implement mandatory multi-factor authentication (MFA) for all remote access systems., Mandate MFA across all government systems and applications., Reevaluate employee termination policies post-breach, Enable **centralized logging and monitoring** with context-aware alerts., Regular security audits to validate compliance and preparedness., Train staff on **secure cloud deployment practices** (e.g., Infrastructure as Code templates)., Enhance transparency in public communications about incidents, Provide training for personnel on best security practices., Implement network segmentation to limit lateral movement., Foster a culture of accountability and transparency in cybersecurity practices., Implement zero-trust architecture for intelligence-sharing platforms., Audit and secure RDP access with MFA and network segmentation., Establish bipartisan task forces to depoliticize cybersecurity legislation., Educate employees on phishing risks to prevent credential theft., Conduct regular audits of third-party software vulnerabilities., Enhance incident response protocols for timely detection and containment., Segment networks to **limit lateral movement** in case of breaches., Conduct regular security audits to uncover and resolve gaps or misconfigurations., Improve public communication strategies to address accountability concerns without endangering staff., Enhance whistleblower protections and internal reporting channels for misconduct., Use identity protection or credit monitoring services for ongoing alerts., Investigate the dismissals of FEMA IT leaders to ensure accountability is evidence-based., Develop contingency plans for government shutdowns to minimize disruptions to cyber defense., Enhance public awareness of the risks posed by CISA's reduced capacity., Immediately apply the latest security patches released by MongoDB developers., Enhance logging and anomaly detection for unauthorized access attempts., Implement zero-trust architecture to limit lateral movement., Deploy continuous monitoring solutions to detect abnormal database activity., Restrict PowerShell and command-line scripting to limit attacker lateral movement., Reauthorize the State and Local Cybersecurity Grant Program for 10 years, with provisions for AI-system support., Conduct independent review of DHS/FEMA cybersecurity protocols, Enforce MFA and password policies across all systems., Implement **least-privilege access** and **just-in-time permissions** for IAM roles., Establish clearer incident response protocols for credential-based breaches., Establish a unified communication protocol for breach disclosures to avoid conflicting narratives., Prioritize retention of key divisions like ISD and SED to maintain critical infrastructure protection., Prioritize **human-centric security** (training, process improvements) alongside technical controls., Obtain an IRS Identity Protection PIN to prevent tax fraud., Regularly review financial accounts and credit reports for suspicious activity., Conduct **regular audits** of public-facing storage (buckets, databases, APIs)., Conduct a thorough review of data security practices for law enforcement agencies., Restore and increase funding for CISA to address workforce shortages and operational gaps., Enhance local law enforcement training, Enhance endpoint detection and response (EDR) capabilities., Enhance collaboration with cybersecurity firms to proactively detect and mitigate advanced threats., Pass a 10-year reauthorization of CISA 2015 with retroactive protections to Oct. 1, 2023., Incentivize sharing of single-point-of-failure data to address systemic risks., Deploy advanced technologies to mitigate drone threats, Use **automated policy-as-code tools** (e.g., Terraform, Open Policy Agent) to prevent drift., Avoid politicizing CISA's mission to ensure bipartisan support for cybersecurity., Address **shadow IT** with discovery tools and governance policies., Conduct a third-party audit of DHS/FEMA cybersecurity posture and focusing on remote access and privilege management..

Most Recent Source: The most recent source of information about an incident are FBI Public Service Announcement (PSA), Internet Security Alliance (Larry Clinton), Nextgov, Cyber Threat Alliance (Michael Daniel), DHS Public Statement (2023-08-29), E-Verify (USCIS), Courthouse News, AFP/Getty Images (FEMA HQ photo), Wiz Academy - Top 11 Cloud Security Vulnerabilities, Avast Decryption Tool Release (2023), CISA Ransomware Vulnerability Warning Pilot (RVWP) Program, SentinelOne - Cloud Misconfiguration Prevention, CyberScoop, DHS Emergency Directive (post-breach), Brennan Center for Justice (FOIA Obtained DHS Memo), Jeremiah Fowler (Cybersecurity Researcher), CISA, FBI, MS-ISAC Joint Advisory, SecPod - Top 10 Cloud Misconfigurations, CISA, NSA, Canadian Centre for Cyber Security, AFP, Nextgov/FCW, DHS Public Statement (August 29, 2023), ACSC Alert on BianLian Threat, Motherboard, Internal FEMA Document (reviewed by CNN), NextGov/FCW, Google security researchers, CNN, Cyber Incident Description, US Department of Justice, ClearanceJobs, Cybersecurity and Infrastructure Security Agency (CISA) Advisory on CitrixBleed, Sen. Gary Peters (D-MI) statements, CISA, FBI, and DC3 advisory on Br0k3r threat group, CrowdStrike - Common Cloud Misconfigurations, Bloomberg News, Social Security Administration (SSA), Statement by Homeland Security Secretary Kristi Noem, DHS Public Statement (Secretary Kristi Noem), Politico, CISA Directive, IRS Identity Protection PIN, CNET, U.S. Department of Homeland Security (DHS) National Terrorism Advisory System bulletin, FBI Warning on BianLian Extortion Tactics, CISA Advisory on BianLian Ransomware, US Department of Homeland Security (DHS) Statement by Secretary Kristi Noem, House Homeland Security Committee, Reward for Justice (US State Department), WIRED, The Daily Beast, Symantec (Spearwing tracking), SOCRadar (Ensar Seker and CISO).

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.cisa.gov/stopransomware, https://www.gettyimages.com/detail/news-photo/fema-headquarters-is-pictured-in-washington-dc-on-february-news-photo/1238567890, https://www.bloomberg.com, https://www.nextgov.com, https://www.wired.com/story/dhs-data-hub-exposed-sensitive-intel-unauthorized-users/, https://www.wiz.io/academy/top-cloud-vulnerabilities, https://www.crowdstrike.com/blog/common-cloud-misconfigurations/, https://www.sentinelone.com/blog/cloud-misconfigurations/, https://www.secpod.com/blog/top-cloud-misconfigurations/, https://www.cnet.com, https://www.ssa.gov, https://www.e-verify.gov, https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin, https://www.ic3.gov .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was CISA, FBI, ACSC, DHS Secretary’s Public Statement, Media Briefings, Internal FEMA Staff Updates, DHS Working Group Reports, Internal FEMA staff updates, DHS Task Force findings, FOIA Memo (DHS), Media Statements, Sen. Peters' warnings to reporters about national security risks., Cyber Threat Alliance and Internet Security Alliance statements on information-sharing impacts., House Homeland Security Committee Republican aide comments on CR extensions., House Democratic staffer remarks on state/local grant program success., Cybersecurity experts warn of increased risks due to CISA's reduced capacity., Private sector partners advised to bolster independent defenses amid government instability., General public advisory on SSN locking and credit freezing., Employers using E-Verify may encounter locked SSNs during hiring processes., FBI PSA warning senior officials and their contacts, recommendations for public vigilance, CISA directive for U.S. federal agencies to address MongoBleed vulnerability., DHS has warned about risks to staff safety due to the leak., .

Most Recent Customer Advisory: The most recent customer advisory issued were an None (DHS)Recommended Password Resets for 184M Affected Users (2025 Breach), Individuals should weigh the inconvenience of locking/unlocking SSNs against the risk of identity theft.Credit freezes do not affect existing credit accounts but require planning for new credit applications.IRS IP PINs must be renewed annually. and General public alert via mediadirect outreach to potential high-value targets.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an RDP credentials (phishing or purchased from IABs), Citrix Remote Access Software, Citrix Systems Inc.’s Remote Desktop Software (Compromised Credentials), Email Account, Citrix System (via stolen credentials) and Citrix Remote Access Software (via government contractor).

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Unknown (likely weeks prior to mid-July 2025), Unknown (breach lasted 'several weeks' in summer 2023).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Oversharing of data with a private contractor., Lack of adequate detection and response capabilities for drone threats, Weak or stolen RDP credentialsLack of MFA on critical access pointsUnrestricted use of PowerShell for scriptingInsufficient monitoring for data exfiltration, Programming error leading to misconfigured access controls.Inadequate segmentation of sensitive intelligence products.Lack of real-time monitoring for unauthorized access patterns., Lack of multifactor authentication (MFA) for remote access.Compromised credentials in Citrix remote desktop software.Inadequate monitoring of lateral movement within the network.Failure to segment high-value systems (e.g., Active Directory)., Inadequate security controls for remote access systems (Citrix).Failure to detect lateral movement in a timely manner.Potential insider threats or misconfigured privileges enabling deep access.Organizational turmoil (e.g., dismissals, restructuring) distracting from cybersecurity focus., Lack of multifactor authentication (MFA) across FEMA systems.Exploitation of vulnerable Citrix remote access software.Inadequate monitoring of network access and lateral movement.IT leadership failures in cybersecurity governance., Unpatched Citrix vulnerabilityInadequate network monitoringLateral movement controls failurePossible insider threats or misconfigurations, Overly permissive IAM policies ('everyone' access).Lack of network segmentation (DHS).Disabled logging/missing alerts (no detection of unauthorized access).Human error in access configuration (HSIN-Intel).Plain-text storage of credentials (2025 Breach).Complex cloud architectures without adequate governance.Shadow IT/unmonitored accounts (potential factor).Inadequate policy-as-code enforcement., Failure to patch CitrixBleed vulnerability despite prior warnings.Misrepresentation of security preparedness by FEMA staff.Lack of centralized IT monitoring to detect the breach earlier., Political gridlock preventing timely reauthorization of critical cybersecurity programs.Conflation of CISA 2015 (law) with CISA (agency) by key senators (e.g., Rand Paul).Over-reliance on short-term Continuing Resolutions for long-term cybersecurity needs.Lack of clear legislative vehicles for updating CISA 2015's threat definitions (e.g., AI, supply chain).Insufficient contingency planning for CISA operations during government shutdowns., Government shutdown leading to furloughs and layoffs at CISA.Political disputes redirecting agency focus away from core cybersecurity missions.Budget cuts targeting critical divisions (e.g., ISD, SED).High attrition rate (1,000+ employees left in 2023).Perceived mission creep (e.g., misinformation efforts) distracting from cybersecurity priorities., Widespread exposure of SSNs in data breaches enables identity theft.Lack of proactive protections (e.g., unlocked SSNs, unfrozen credit) leaves individuals vulnerable.Social engineering tactics (e.g., phishing) trick individuals into disclosing SSNs., Over-reliance on trust in digital communicationsLack of widespread MFA adoptionPublic exposure of personal/professional details (e.g., LinkedIn, government directories)Limited public awareness of AI-generated scam tacticsDelayed reporting of suspicious activity, Advanced malware (BRICKSTORM) with obfuscation and persistence features, State-sponsored cyber warfareGeopolitical conflict exploitation, Exploitation of misconfigured or default security settings in MongoDB databases, Lack of internal accountability for law enforcement actions; whistleblower dissatisfaction with agency practices; public outrage over ICE agent's fatal shooting of Renee Nicole Good., Suspected coordinated effort to suppress leaked data, Exploitation of known vulnerabilitiesUse of remote management tools for persistenceLiving-off-the-land techniques.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Review and tighten data sharing practices., Improve detection and response capabilitiesEnhance local law enforcement trainingDeploy advanced technologies to mitigate drone threats, Enforce MFA for all remote access.Disable unnecessary RDP exposure to the internet.Restrict PowerShell to administrative use only.Deploy endpoint detection and response (EDR) tools to monitor for malicious activity.Conduct regular audits of high-privilege accounts., Enforced MFA for FEMA Region 6.Disconnected vulnerable Citrix remote access tool.Terminated IT leadership responsible for security failures.Public disclosure to raise awareness of risks., Mandatory network segmentation and least-privilege access policies.Continuous monitoring for anomalous activity, especially in remote access vectors.Review of personnel practices to align dismissals with evidence-based accountability.Transparency in breach communications to maintain public trust., Enforcement of MFA for all FEMA employees.Disconnection of compromised Citrix tools.Termination of responsible IT personnel.Public disclosure of cybersecurity lapses to drive accountability., Personnel changes (24 IT employees fired)DHS emergency directive for federal agencies to defend against similar threats, Revised IAM policies with least-privilege principles.Implemented network segmentation for HSIN platforms.Enabled centralized logging and monitoring (DHS).Mandated encryption for sensitive data (post-2025 Breach).Conducted staff training on secure cloud configurations.Deployed automated misconfiguration detection tools.Established regular audits for public-facing resources., Termination of incompetent staff (CISO, CIO, and 22 others).Hiring of new IT security personnel.Enforcement of MFA and password resets.Potential restructuring of FEMA's cybersecurity governance., Bipartisan negotiation to separate CISA 2015 reauthorization from unrelated political disputes.Development of a dedicated legislative process for cybersecurity updates (e.g., 5-year review cycles).Expansion of CISA's shutdown-exempt staff to maintain core functions.Public-private working groups to modernize threat-sharing frameworks (e.g., AI, systemic risks).State/local cybersecurity coalitions to sustain grant-funded initiatives during federal lapses., Restoration of CISA's workforce and budget to pre-cut levels.Depoliticization of agency operations to refocus on cybersecurity.Reinstatement of eliminated subdivisions (e.g., Chemical Security).Stronger legislative protections for cybersecurity agencies during government shutdowns.Increased transparency in communicating risks to stakeholders., Increase public awareness of SSN locks and credit freezes.Simplify the process for locking/unlocking SSNs (e.g., extend E-Verify lock duration beyond 1 year).Encourage adoption of multi-factor authentication for SSN-related services.Advocate for reduced reliance on SSNs as universal identifiers., FBI-led awareness campaigns targeting high-risk groupsEncouragement of MFA adoption and password hygieneDevelopment of AI-detection tools for voice/video callsPolicy changes to limit public exposure of official contact detailsEnhanced collaboration between government agencies and tech platforms to disrupt scam infrastructure, Patch deployment, security audits, enhanced monitoring, personnel training, Migration to more secure servers.