US Government Contractor Acuity Confirms Data Breach
Acuity, a company that works with US government agencies, has confirmed that hackers breached its GitHub repositories and stole documents. Last week, a hacker claimed that these documents contained classified information belonging to the Five Eyes intelligence alliance, which includes agencies from Australia, Canada, New Zealand, the United States, and the United Kingdom.
Acuity is a consulting firm with about 400 employees and annual revenue exceeding $100 million. The company provides services in DevSecOps, IT operations and modernization, cybersecurity, data analytics, and operational support, and is actively involved with government clients.
Details of the Breach
Last week, a hacker known as IntelBroker published documents allegedly stolen from Acuity, claiming that the data belonged to several government agencies, including the US Department of State, Department of Defense, and the National Security Agency (NSA). According to the hacker, the leaked dump contains full names, email addresses, work and personal phone numbers of government employees, military personnel, and Pentagon staff, as well as their personal email addresses.
Another participant in the attack, known as Sangierro, told Bleeping Computer that the breach occurred on March 7, 2024. He claims to have exploited a vulnerability in the Tekton CI/CD server to steal Acuity’s GitHub credentials and gain access to private repositories.
Following the incident, representatives from the US Department of State announced that they were investigating a possible cyberattack.
Acuity’s Response
Acuity has now confirmed that the breach did occur, but stated that the stolen data was not classified. “Recently, Acuity identified a cyber incident involving GitHub repositories that contained outdated and non-private information. As soon as the zero-day vulnerability became known, Acuity applied vendor-provided security updates and took mitigation actions as recommended,” the company said.
The company also emphasized that, after conducting its own analysis and an investigation by independent cybersecurity experts, Acuity found no evidence that any confidential client data was compromised.