The Federal Bureau of Investigation (FBI) has described the security breach of its law enforcement surveillance system, attributed to suspected Chinese hackers, as a “major incident.”
The Federal Information Security Modernization Act (FISMA) uses the term to describe an event that is likely to have national security implications. It also describes an incident that exposes vast amounts of personally identifiable information.
How the security breach of the FBI surveillance system unfolded
The FBI learned of the cyber intrusion after detecting suspicious activity on the unclassified network. It responded by launching an investigation on February 17 and initiated incident response protocols. The probe determined that unauthorized access occurred through a third-party entity. On March 23, the FBI determined that the security breach constituted a “major incident.”
“The FBI identified anomalous activity on an unclassified network and quickly leveraged all technical capabilities to remediate the incident,” the agency stated. “It was determined the access was obtained through a third party and constitutes a major incident under the Federal Information Security Modernization Act (FISMA).”
The security breach affected a surveillance system used to monitor incoming and outgoing phone communications. The attackers potentially exfiltrated wiretap data and personally identifiable information from the surveillance system.
Meanwhile, the FBI says it has taken the necessary steps to address the security breach and has notified Congress. The agency also vowed to continue countering state-sponsored threats.
“The FBI is following the required steps under FISMA, including notifying Congress, and remains focused on countering nation-state and cybercriminal activity,” it said.
The Department of Justice and the FBI are conducting a forensic investigation to determine the full scope of the security breach and recommend actions to enhance the security of government systems. The DOJ also recommended establishing “a working group dedicated to enhancing cyber resilience and improving cyber incident response processes.”
“The FBI just classified the breach of its wiretap surveillance network as a FISMA major incident,” said Michael Bell, Founder & CEO, Suzu Labs. “The system is the Digital Collection System Network, which stores court-authorized wiretap returns, pen register metadata, FISA warrant data, and personally identifiable information on active FBI investigation targets. The attackers got in through a vendor ISP that connects to the FBI’s network, not through the FBI’s own defenses. The Wall Street Journal reports that investigators suspect Chinese government-affiliated hackers.”
Chinese fingerprints all over
The FBI has not released details regarding the identity of the threat actor or the type of data potentially accessed, although investigative data and call metadata were likely involved.
However, news sources have attributed the security breach of the FBI’s surveillance system to a Chinese state-sponsored threat actor. The FBI has also hinted that a state-sponsored actor was likely behind the security breach. The motive of the attack was likely an intelligence-gathering mission to identify U.S. assets worldwide by analyzing call metadata extracted from the surveillance system.
While the FBI has not disclosed the tactics used to breach the surveillance system, they mirror those of the Chinese hacking group Salt Typhoon. The threat group was responsible for a string of security breaches affecting major telecommunications service providers and both parties’ presidential campaigns.
“This is the same playbook,” added Bell. “Salt Typhoon compromised lawful intercept systems at AT&T and Verizon in 2024 by exploiting the telecom infrastructure that CALEA requires carriers to maintain for government surveillance. Now someone used the same supply chain approach on the FBI’s end of that infrastructure. CALEA mandated wiretap capability in 1994. Nobody mandated that the capability be secured against adversaries. Senator Wyden proposed legislation to fix that after the Salt Typhoon telecom breaches. It went nowhere. The vulnerability is still open.”
Hackers continue to target government agencies
State-sponsored hackers and independent cybercriminals have frequently employed sophisticated tactics and social engineering to breach government agencies.
“The FBI had at least three distinct cyber incidents in March 2026,” Bell said. “The DCSNet breach is attributed to suspected Chinese state-sponsored actors. The Kash Patel email compromise was claimed by Iran’s Handala Hack Team. Politico reports additional intrusions involving internal systems. Multiple adversaries, different attack vectors, one agency, one month. The White House, DHS, and NSA all joined the DCSNet investigation, which is not the response you see for a routine breach.”
In November 2025, the Congressional Budget Office also disclosed a cyber incident that potentially exposed data. Similarly, hackers breached telecommunications giant AT&T and accessed law enforcement data, including agents’ call and text logs, potentially exposing FBI informants and witnesses.
In 2023, the FBI experienced a security breach at its New York office, affecting a system used for investigating child exploitation.
