Hackers have stolen employee data from the Federal Emergency Management Agency (FEMA) and the U.S. Customs and Border Protection (CBP) in a months-long data breach reported by NextGOV/FCW.
The attacker leveraged stolen credentials to breach FEMA’s Citrix virtual desktop and exfiltrate data from Region 6 servers after gaining access to the Active Directory, which manages privileged access.
The affected region encompasses the southern states of Arkansas, Louisiana, and Oklahoma, as well as the southern border states of Texas and New Mexico, and 70 tribal territories.
While the motive of the attack remains unknown, some of the affected states have been the heart of the ongoing immigration debate that has raised political temperatures across the country.
DHS: FEMA data breach stemmed from incompetence, negligence, and cover-up
FEMA’s routine system audit uncovered a vulnerability that allowed the threat actors to breach its system, threatening “the entire department and the nation as a whole.”
The agency’s IT employees were accused of resisting efforts to fix the security vulnerability, avoiding scheduled inspections, and lying about the scope of the problem.
“When DHS stepped in to fix the problem, entrenched bureaucrats worked to prevent us from solving the problem and downplayed just how bad this breach was,” said the U.S. Secretary of Homeland Security Kristi Noem.
FEMA was notified of the June 22 data breach on July 7, 2025. However, by July 14, the threat actor was still trying to entrench themselves and attempted to install networking tools to exfiltrate employee data.
Similarly, remediation efforts began on July 16, enabling the attacker to maintain persistence between June 22 and August 5.
“This breach targeting both FEMA and Customs and Border Protection highlights the growing risk of lateral movement across interconnected federal systems, especially when regional network segments are left exposed,” said Ensar Seker, CISO at SOCRadar. “A compromise that lasted ‘several weeks’ without detection suggests not just a failure of preventive security controls, but likely gaps in real-time monitoring and behavioral anomaly detection.”
On September 5, the agency took additional actions, including changing ZScaler policies and blocking certain websites. On August 18, the federal agency further directed all its employees to reset their passwords.
In her statement, the DHS Secretary also disclosed that FEMA suffered from agency-wide lack of multi-factor authentication, failure to fix known vulnerabilities, use of prohibited protocols, and lack of operational visibility.
Subsequently, two dozen FEMA technology employees, including two top IT executives, were fired as a direct result of the data breach. Top IT officials terminated include FEMA Chief Information Officer (CIO) Charles Armstrong and the agency’s Chief Information Security Officer (CISO) Gregory Edwards.
“These deep-state individuals were more interested in covering up their failures than in protecting the Homeland and American citizens’ personal data, so I terminated them immediately. The American people deserve results from their government,” Noem added.
However, Noem disputed the data breach allegations by claiming that the attacker did not exfiltrate sensitive information from the DHS networks, on which FEMA and CBP operate.
The department’s spokesperson also reiterated the DHS Secretary’s stance, claiming that there was “no evidence that sensitive DHS operational data had been compromised” when she made the statement.
Noem also accused FEMA’s IT leadership of failing “on every level” due to incompetence, resulting in the agency-wide data breach.
Details of data breach undisclosed
Meanwhile, the identity of the threat actor behind the FEMA and CBP data breach, the number of employees impacted, and the personal details compromised, remain unknown.
The agency has also yet to disclose the Citrix vulnerability exploited. However, Paul Bischoff, a Consumer Privacy Advocate at Comparitech, suggests that the unpatched CitrixBleed vulnerability CVE-2023-4966 in NetScaler ADC and NetScaler Gateway was likely exploited.
“I surmise that hackers exploited the CitrixBleed vulnerability in an unpatched version of the Citrix NetScaler software, which is used for VPNs and other network gateways,” Bischoff said.
“The incident underscores the urgency for agencies like DHS to implement more robust Zero Trust architectures, extend attack surface visibility into traditionally siloed regional environments, and continuously audit access paths, especially for hybrid or legacy systems,” concluded Seker.

