The U.S. Congressional Budget Office has confirmed it was hacked. A spokesperson for the agency, Caitlin Emma, stated that an investigation into the breach is underway. She confirmed the agency identified the security incident, took immediate action to contain it, and has implemented additional monitoring and new security controls to protect its systems.
The Congressional Budget Office is a nonpartisan agency that provides economic analysis and cost estimates to lawmakers. This work occurs during the federal budget process and after legislative bills are approved at the committee level in the House and Senate.
The Washington Post first reported the breach, noting that unspecified foreign hackers were behind the intrusion. According to the report, officials at the budget office are concerned that the hackers accessed internal emails and chat logs. Communications between the offices of lawmakers and the agency’s researchers may also have been compromised.
Reuters reported that the Senate Sergeant at Arms office notified congressional offices of the breach. The warning stated that emails between the Congressional Budget Office and these offices could have been accessed. The compromised information might be used to craft and send phishing attacks.
It remains unclear how the hackers initially gained access to the network. However, soon after the breach became public, security researcher Kevin Beaumont wrote on Bluesky that he suspected hackers exploited the agency’s outdated Cisco firewall to break in.
Last month, Beaumont noted that the budget office had a Cisco ASA firewall on its network that was last patched in 2024. At the time of his posting, the firewall was allegedly vulnerable to a series of newly discovered security bugs. These vulnerabilities were reportedly being exploited by suspected Chinese government-backed hackers.
Beaumont said the firewall had not been patched by the time the federal government shutdown took effect on October 1. He later stated that the firewall is now offline.
The Congressional Budget Office spokesperson declined to comment when asked about Beaumont’s findings. Spokespeople for Cisco did not immediately respond to a request for comment.