The US Government Accountability Office said Monday that CGI Federal, an IT contractor and unit of CGI Inc., notified the agency of a data breach last month affecting about 6,000 current and former GAO employees.
The GAO, a research arm of Congress, said in a statement the data involved personally identifiable information on employees including some people who worked there from 2007 to 2017.
A breach notification letter seen by Reuters said that the data contained "names, social security numbers, addresses, and some banking information." The letter said the breach had been carried out by a "threat actor exploiting a vulnerability in an externally provided platform" but didn't delve into specifics.
GAO spokesperson Chuck Young said his agency was notified about the breach on January 17 but referred questions about its impact to CGI. CGI Federal did not immediately return messages seeking comment.
CGI, which has recently pivoted toward cybersecurity, has many contracts with the federal government. In recent congressional testimony, a CGI official said that the company has provided IT protection for "100 participating agencies" through the U.S. cybersecurity agency tasked with protecting federal networks.
In the same testimony, GCI said it provided cybersecurity services to the State, Justice, Commerce, and Labor departments, the Federal Communications Commission, and the United States Agency for International Development.
The cybersecurity agency did not immediately respond to a request for comment about CGI. The FBI did not immediately return emails.
