CGI Federal says US GAO data breach tied to Atlassian flaw


A US government data breach, disclosed earlier this year, was tied to a bug in enterprise software maker Atlassian's Confluence suite of collaboration tools, an IT contractor said on Tuesday.

CGI Federal, an IT contractor and unit of CGI Inc, said in a statement that it was working "with authorities and clients to identify and disclose any data affected by the Confluence exploitation," which was made public in October.

On Monday, the Government Accountability Office told Reuters that 6,000 current and former GAO employees had been victims of a data breach by an unnamed "threat actor" in connection with the hack.

ADVERTISEMENT

The size and scope of the breach has not been publicly disclosed, including whether or not any other government agencies have been affected.

Atlassian, an Australian software giant providing products for developers and managers, said in a statement that it had warned customers that hackers were exploiting the bug on October 4th, and that it had been assisting clients with their response.

Other major companies that have since reported breaches related to the Atlassian Confluence data server exploit include global IT services provider Cloudflare and Atlassian subsidiary, Trello, a project management tool provider.

The US cyber watchdog agency, the Cybersecurity and Infrastructure Security Agency (CISA), referred questions back to CGI.

In June 2022, CISA warned of a separate Atlassian zero-day vulnerability, forcing US federal institutions to block all internet traffic to Confluence servers to avoid being exploited.