The US Department of Homeland Security has confirmed a major cybersecurity breach affecting FEMA and CBP employees. The attacker exploited a Citrix vulnerability to infiltrate internal systems, prompting mass staff firings and renewed scrutiny over federal cybersecurity practices.
AI’s new currency is compute. OpenAI and AMD’s 6GW pact jolts markets, fusing chips, capital and energy into a global buildout. From Wall Street to the Global South, data centres become power plants for the information age, an equity compute loop spinning at breakneck speed.
SimonMed Imaging has confirmed a ransomware attack by the Medusa group, exposing the sensitive health and personal data of 1.27 million patients. The breach, which originated in January, highlights the severe risks posed by third-party vendor vulnerabilities in the healthcare sector.
The US Department of Homeland Security has confirmed a major cybersecurity breach affecting FEMA and CBP employees. The attacker exploited a Citrix vulnerability to infiltrate internal systems, prompting mass staff firings and renewed scrutiny over federal cybersecurity practices.
Cyber News Centre's cyber update for 20 October 2025: The US Department of Homeland Security (DHS) has confirmed a major cybersecurity breach that compromised data belonging to employees of the Federal Emergency Management Agency (FEMA) and US Customs and Border Protection (CBP). An unidentified hacker infiltrated FEMA’s Region 6 network and exfiltrated sensitive information over several weeks by exploiting a vulnerability in Citrix remote access software.
The Update: A confirmed cyberattack has exposed employee data from both the Federal Emergency Management Agency (FEMA) and US Customs and Border Protection (CBP), two key components of DHS. The intrusion began on 22 June 2025 and persisted undetected until early July.
According to DHS records reviewed by multiple outlets, the attacker exploited CVE 2025 5777, an unauthorised memory disclosure flaw in Citrix NetScaler Gateway, informally dubbed “CitrixBleed 2.0”. Using compromised administrative credentials, the intruder infiltrated FEMA’s Region 6 network, covering Arkansas, Louisiana, New Mexico, Oklahoma, and Texas, and gained access to internal systems shared across FEMA and CBP. Data stolen reportedly includes employment records, internal email archives, and limited personally identifiable information (PII) of federal staff, though no public-facing citizen data has been confirmed as exposed.
The fallout has been extensive. DHS Secretary Kristi Noem confirmed the termination of approximately two dozen FEMA IT employees, including senior information officers, citing a pattern of “systemic and preventable cybersecurity failures” that left federal systems unpatched and unmonitored for months. DHS internal reviews found FEMA lacking multi factor authentication controls and sufficient network monitoring, allowing lateral movement of the attacker between agency segments.
Technical analyses by security researchers indicate that poor segmentation and outdated Citrix gateway infrastructure enabled the hacker to remain active for several weeks, extracting data and attempting to install unauthorised VPN software for persistence. While attribution remains unclear, analyses by Homeland Security and independent experts have not ruled out a state-linked actor.
Why it Matters: The FEMA and CBP breach underscores systemic vulnerabilities across federal agencies and the critical importance of sustained vulnerability and patch management. Despite years of investment in Zero Trust initiatives, DHS agencies still rely heavily on legacy systems and regional IT silos, conditions that allowed a preventable exploit to cascade across interconnected networks.
For governments and private sectors alike, the breach highlights how known flaws in supply chain software like Citrix can lead to national security exposures if unpatched. FEMA’s internal systems support emergency coordination across disaster-prone southern states; compromise of these networks could have disrupted response protocols or revealed sensitive operational data.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
SimonMed Imaging has confirmed a ransomware attack by the Medusa group, exposing the sensitive health and personal data of 1.27 million patients. The breach, which originated in January, highlights the severe risks posed by third-party vendor vulnerabilities in the healthcare sector.
The Australian Signals Directorate's latest Annual Cyber Threat Report reveals a cybercrime is reported every 6 minutes, with costs to businesses soaring. The report highlights the growing threat from state-sponsored actors and the impact of AI in enabling larger, faster attacks on the nation.
Harvard University has confirmed it was affected by a global cyber campaign exploiting a flaw in Oracle’s E-Business Suite. The attack, linked to the Cl0p ransomware group, targeted over 100 organisations worldwide, prompting urgent patching and investigation.
The Legal Practice Board of WA is notifying victims of a major data breach that took place in May after a ransomware attack by the Dire Wolf group compromised sensitive practitioner data.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
