FBI Investigates Breach of Internal Surveillance System Containing Wiretap Data and Investigation Subject PII

The FBI has disclosed to Congress that it is investigating a breach of an internal system containing sensitive surveillance data — including wiretap-related records and personally identifiable information on subjects of FBI investigations.

The bureau began investigating abnormal log activity on February 17, 2026, and notified members of Congress this week. The White House, NSA, and CISA are all reportedly involved in the response, underscoring the severity of the compromise.

What Was Accessed

The affected system is unclassified but contains law enforcement sensitive information, including:

• Pen register and trap-and-trace surveillance returns — records logging phone numbers dialed by targets of FBI surveillance, as well as incoming call metadata
• Personally identifiable information on subjects of active FBI investigations
• Legal process returns — data obtained through court-authorized surveillance orders

Pen registers are among the most commonly used surveillance tools in federal law enforcement, capturing communications metadata that reveals who investigation subjects are contacting, when, and how frequently. Exposure of this data could compromise active investigations, endanger confidential sources, and alert surveillance targets that they are under investigation.

Sophisticated Exploitation via Commercial ISP

The FBI's notification to Congress describes the intrusion techniques as "sophisticated" — specifically noting that the attacker leveraged a commercial internet service provider's infrastructure to exploit FBI network security controls.

This suggests the threat actor either compromised a commercial ISP that provides connectivity or services to the FBI, or used an ISP's legitimate infrastructure as a pivot point to bypass perimeter defenses — a technique consistent with advanced nation-state operations that target the supply chain rather than the target directly.

Attribution Unknown

Neither the FBI's statement nor the Congressional notification identified the responsible party. The bureau confirmed the incident but provided minimal details:

"The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond. We have nothing additional to respond."

However, federal agencies have been persistent targets of foreign intelligence services seeking access to sensitive operations and decision-making. The sophistication of the techniques described — exploiting network security controls through third-party infrastructure — is consistent with nation-state tradecraft.

Implications

A breach of FBI surveillance systems represents one of the most sensitive categories of compromise possible in US law enforcement:

• Active investigations compromised — subjects of surveillance may learn they are being monitored
• Source protection at risk — PII connected to surveillance operations could expose cooperating witnesses or confidential informants
• Legal proceedings affected — contamination of surveillance data could impact prosecutions relying on pen register evidence
• Counterintelligence damage — if a foreign intelligence service accessed this data, they gain visibility into who the FBI is watching and why

Defender Recommendations

• Federal agencies should audit ISP-facing connections — the exploitation of commercial ISP infrastructure to bypass FBI network controls highlights supply chain risk at the network connectivity layer
• Review third-party network trust boundaries — organizations should evaluate whether commercial ISP infrastructure is implicitly trusted in their security architecture
• Monitor for abnormal log patterns — the FBI detected this breach through log anomalies; ensure logging and SIEM coverage extends to all systems handling sensitive data, including unclassified-but-sensitive repositories
• Segment surveillance and legal process systems — systems holding pen register returns and investigation subject PII should be isolated from general network access with enhanced monitoring