Feds investigating data breach exposing Congress’ sensitive personal data

Federal officials are investigating a data breach of a Washington health insurance marketplace that exposed sensitive personal data such as Social Security numbers connected to lawmakers, their families and congressional staffers.

House and Senate lawmakers were told Wednesday that hackers may have obtained access to their data via a breach hitting DC Health Link.

The FBI said in a statement Thursday that it was aware of the incident and was assisting.

House Speaker Kevin McCarthy and House Minority Leader Hakeem Jeffries warned in a letter to the DC Health Benefit Exchange Authority obtained by NBC that the fallout from the breach could be “extraordinary.” The letter said the FBI purchased from the dark web some of the hacked material, including Social Security numbers and other data connected to lawmakers and congressional staffers.

House Chief Administrative Officer Catherine Szpindor told lawmakers and their staffs that the FBI believed data on hundreds of them was stolen, according to a letter from Ms. Szpindor obtained by Punchbowl News.

A chief administrative office spokesperson said Thursday that the office would send updates to lawmakers and staffers that it gets from law enforcement.

A sample of stolen data reviewed by The Associated Press included Social Security numbers, addresses, phone numbers and emails.

Such information may be used by cyberattackers to create new online identities and accounts for nefarious purposes, according to Jack Danahy, vice president at the information security consulting firm NuHarbor Security.

Mr. Danahy said the potential community of victims is highly likely to be far larger than elected officials.

“The biggest risk is that this private information is used to create staging grounds for future data theft, espionage, and potentially financial crimes,” Mr. Danahy said in a statement. “The victims likely comprise a meaningful network of trusted individuals at all levels of the federal government and the hijacking of these identities can have long-term ramifications on national and personal security.”  

The Committee on House Administration said it’s trying to protect people from becoming victimized. “Chairman [Bryan] Steil is aware of the breach and is working with the CAO to ensure the vendor takes necessary steps to protect the [personally identifiable information] of any impacted member, staff and their families,” the committee tweeted Wednesday. 

Records from the data breach appeared available for sale in an online crime forum by a broker who claimed the data was stolen Monday and who said it amassed info on 170,000 DC Health Link customers.

Precisely who is responsible for the breach is not immediately clear. A broker communicating in an encrypted chat with the AP said it was acting on behalf of a seller identified as thekilob.

Emsisoft threat analyst Brett Callow spotted another attempt to share the purported DC Health Link data on Thursday.

“What’s claimed to be data relating to DC Health Link is again being shared on a hacker forum, this time by somebody who uses the signature ‘Glory to Russia!’” Mr. Callow tweeted, sharing a screenshot of the posting.

Congress is not the only federal entity jeopardized by hackers in recent months. A U.S. Marshals Service computer system was hit with ransomware in February and hackers stole sensitive information about government workers and targets of investigations.

Mr. Callow told The Washington Times he is unaware of anything indicating that ransomware was used for the breach affecting Congress.

• This story is based in part on wire service reports.