Breaches

CISA Acting Director Uploaded Sensitive Government Documents to Public ChatGPT, Triggering Security Warnings

Zero Day Wire

3 min read
CISA Acting Director Uploaded Sensitive Government Documents to Public ChatGPT, Triggering Security Warnings

The acting director of the Cybersecurity and Infrastructure Security Agency uploaded sensitive government contracting documents into a public version of ChatGPT last summer, triggering multiple automated security warnings designed to prevent theft or unintentional disclosure of government material, according to a report by Politico citing four Department of Homeland Security officials.

The incident is particularly notable given that Madhu Gottumukkala leads the federal agency responsible for securing government networks against sophisticated nation-state hackers from adversaries including Russia and China.

Special Permission Requested to Use Blocked Tool

Gottumukkala had requested special permission from CISA's Office of the Chief Information Officer to use ChatGPT shortly after arriving at the agency in May, according to three of the officials. The application was blocked for other DHS employees at the time.

None of the uploaded files were classified, but the material included CISA contracting documents marked "for official use only," a government designation for information considered sensitive and not intended for public release.

Cybersecurity sensors at CISA flagged the uploads in August, with one official specifying there were multiple warnings in the first week of August alone. Senior DHS officials subsequently conducted an internal review to assess potential harm to government security from the exposures. The review's conclusions have not been disclosed.

Data Shared with OpenAI

Any material uploaded to the public version of ChatGPT is shared with OpenAI and can be used to help answer prompts from other users of the application, which has more than 700 million active users.

Other AI tools approved for DHS employees, including the department's self-built chatbot DHSChat, are configured to prevent queries and documents from leaving federal networks. Gottumukkala's use of the public ChatGPT version bypassed these protections.

One official told Politico that Gottumukkala "forced CISA's hand into making them give him ChatGPT, and then he abused it."

Internal Review and Meetings

Following detection of the activity, Gottumukkala spoke with senior DHS officials to review what he had uploaded. DHS's then-acting general counsel Joseph Mazzara was involved in assessing potential harm to the department, along with DHS Chief Information Officer Antoine McCord.

Gottumukkala also met with CISA's Chief Information Officer Robert Costello and Chief Counsel Spencer Fisher in August regarding the incident and proper handling of "for official use only" material.

All federal officials receive training on proper handling of sensitive documents. According to DHS policy, security officials are required to investigate the cause and effect of any exposure of official use documents and determine appropriate administrative or disciplinary action, which can range from mandatory retraining to suspension or revocation of security clearances.

CISA Disputes Timeline

In a statement, CISA Director of Public Affairs Marci McCarthy said Gottumukkala "was granted permission to use ChatGPT with DHS controls in place" and that "this use was short-term and limited."

The statement appeared to dispute the reported timeline, claiming Gottumukkala last used ChatGPT in mid-July 2025 under an authorized temporary exception, while officials told Politico that security sensors flagged uploads in August.

Pattern of Security Concerns

This is not Gottumukkala's first security-related incident. As Politico previously reported, at least six career CISA staff were placed on leave last summer after Gottumukkala failed a counterintelligence polygraph examination that he had pushed to take. DHS called the polygraph "unsanctioned."

During Congressional testimony last week, when asked if he was aware of the failed test, Gottumukkala twice told Representative Bennie Thompson that he did not "accept the premise of that characterization."

Gottumukkala has served as acting CISA director since May, when he was appointed by DHS Secretary Kristi Noem as deputy director. Donald Trump's nominee to head CISA, Sean Plankey, was blocked last year by Senator Rick Scott over a Coast Guard shipbuilding contract, and a date for his confirmation hearing has not been set.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire