The bad actors that attacked the U.S. Federal Emergency Management Agency this summer in a data breach that roiled government officials and led to the firing of two dozen FEMA employees were able to steal employee at both that agency and the U.S. Customs and Border Protection (CBP) office.

According to an internal FEMA assessment given to agency staff this week and seen by news organizations, investigators said the “widespread” breach lasted several weeks after the unknown hacker gained access to one of the agency’s computer networks that managed operations in New Mexico, Texas, Arkansas, Oklahoma, and Louisiana, as well as dozens of tribal nations.

The document found that on September 10, a task force from the Department of Homeland Security (DHS) – which oversees both FEMA and CBP – discovered that the attacker had been able to steal data from the two agencies, contradicting Homeland Security Secretary Kristi Noem’s August 29 statement that “no sensitive data was extracted from any DHS networks,” according to a CNN report.

According to both CNN and NextGov/FCW, which also viewed part of a presentation about the incident, hackers in June were able to access a Citrix virtual desktop infrastructure inside FEMA through compromised login credentials, with the data being exfiltrated from the FEMA servers.’

NextGov/FCW reported that DHS security operations was notified about the breach July 7, and a week later the bad actors tried to install virtual networking software via an account with high-level access. The software would have allowed the hacker to grab information.

DHS started remediation efforts two days later. According to CNN, the assessment found that by September 5 – two months after remediation efforts began—both DHS and FEMA were still trying to fix the situation. According to the reports, the steps taking during that time included ordering FEMA employees to change their passwords, changing Zscaler policies, and blocking some websites.

Two Dozen Employees Fired

Noem announced the firings August 29 in a statement that called the targeted FEMA employees “deep-state individuals,” “entrenched bureaucrats,” and “inept,” and said they “brazenly neglected basic security protocols.”

She said there was an “agency-wide lack of multi-factor authentication [MFA], use of prohibited legacy protocols, failing to fix known and critical vulnerabilities, and inadequate operational visibility.”

Among those fired were FEMA CIO Charles Armstrong and CISO Gregory Edwards. FEMA has been one of the federal agencies President Trump has targeted since returning to office, being hit with budget cuts, layoffs, and threats to shut the entire agency down. Dozens of FEMA employees petitioned Congress to restore the agency’s funding and deriding the new leadership as unqualified.

In Through the CitrixBleed 2 Door

The assessment reportedly said that the hackers were able to bypass protections – including MFA – by exploiting CitrixBleed 2 – tracked as CVE-2025-5777 – a critical buffer overread vulnerability affecting the vendor’s NetScaler ADC and NetScaler Gateway.

According to researchers at Fortinet’s FortiGuard unit, the vulnerability emerged this year and has been actively abused by hackers, adding that “exploiting this issue could allow attackers to access sensitive data directly from memory, potentially exposing credentials, session tokens, or other confidential information.”

NextGov/FCW reported that the assessment also noted that Citrix failed to alert government officials to the scale of the threat and how to contain it, and that staffing shortages at FEMA that were there before President Trump returned to office made problems worse.

Worrying Signs

Security professionals said there were a number of worrying signs in the report. Ensar Seker, CISO of SOCRadar, said the data breach of both FEMA and CBP illustrated the risks of lateral movement by threat actors through interconnected federal systems, and that a compromise lasting weeks indicates not only a failure of security controls but gaps in real-time monitoring and in detecting behavioral anomalies.

“This isn’t just a data breach; it’s a breach of trust in systems that Americans rely on during disasters,” Seker said. “If the attacker maintained persistence long enough to pivot laterally, they could have exfiltrated sensitive employee PII [personally identifiable information], internal operational planning data, and potentially even response coordination protocols, all of which could be weaponized in future incidents.”

Paul Bischoff, consumer privacy advocate at Comparitech, also bemoaned the length of the breach, noting that it “usually implies that DHS failed to properly secure the data. If the data was left exposed to the internet for that long, then any number of hackers could have found and stolen it in that time.”

A Lack of Attribution

For SOCRadar’s Sekel, another concern is that not threat has yet been name.

“The longer attribution remains unclear, the greater the uncertainty for federal employees, partners, and the public,” he said. “The incident underscores the urgency for agencies like DHS to implement more robust zero trust architectures, extend attack surface visibility into traditionally siloed regional environments, and continuously audit access paths, especially for hybrid or legacy systems.”

There also has been a rise in nation-state linked threat actors exploiting weakly segmented infrastructure and federated identities across government agencies.

“This breach is a textbook case of why cybersecurity shouldn’t be managed in operational silos,” Seker said. “For federal agencies, the stakes aren’t just reputational or financial. They’re national security.”