VA Looking Into Potential Breach After Posting of Sensitive Code on GitHub

The Department of Veterans Affairs has launched an investigation into a potential cyber breach after a federal contractor published source code containing sensitive information on GitHub, sources familiar with the matter said. The contractor allegedly copied the code from a VA-managed GitHub account and then posted it on its personal GitHub account. According to the sources, six foreign IP addresses cloned the source code, meaning foreign adversaries could access application credentials and other data that would allow them to penetrate an agency’s IT systems, FedScoop reported.

The source code leak took place on July 5 but the VA only learned about the incident earlier in September through the vulnerability disclosure program of the Cybersecurity and Infrastructure Security Agency.

VA’s investigation also involved Microsoft since the company owns GitHub, which is being used by government agencies for developing software. Microsoft deployed a detection and response team to analyze the security risks resulting from the information disclosure.

According to one of the sources, while the breach is not considered a major incident based on the classification threshold of the Computer Emergency Readiness Team, the VA saw it as a significant concern.

Contrary to the sources’ statements, a VA spokesperson said that the software code contained embedded credentials but “they were not administrative credentials and did not present a risk to VA or Veteran data.”

“VA maintains a robust security strategy that includes firewalls, intrusion detection, multifactor authentication, and end-point encryption that reduces the risk of this event causing any harm to veteran or employee data,” the spokesperson added.