The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Officials notify Trump allies whose Social Security numbers were posted online

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Good morning and welcome to The Cybersecurity 202! I’m filling in for Tim this morning. If you’re in Washington, make sure you go outside early today

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The United States is investigating ByteDance’s surveillance of journalists, and Chinese hacks have been quietly hitting the United States for years. First:

Officials notify Trump allies whose Social Security numbers were posted online

The federal government is notifying some visitors to the White House during the Trump administration that their Social Security numbers were published on a government website. 

Victims of the incident are being notified and offered credit monitoring services, spokespeople for the Government Publishing Office (GPO) and Committee on House Administration told The Cybersecurity 202 this week. The IRS has also been notified so the victims can get additional protection from tax return-related identity theft, GPO said.

The leak enraged Trump allies like South Dakota Gov. Kristi L. Noem (R) and former secretary of Housing and Urban Development Ben Carson, whose Social Security numbers were among the nearly 2,000 published on a GPO website called GovInfo alongside hundreds of documents obtained by the Jan. 6 select committee.

A spokesperson for Rep. Bennie G. Thompson (D-Miss.), who led the Jan. 6 committee, did not respond to a request for comment.

The notifications come in the wake of a Washington Post report and subsequent inspector general report on the incident. The watchdog wrote last month that a “‘perfect storm’ of rushed confusion” led to publication of the Social Security numbers.

“The Agency recognizes the seriousness of the issues involved in the Inspector General’s report and generally agrees with the report’s observations and considerations for improvement,” GPO chief public relations officer Gary Somerset wrote in an email.

Sensitive documents

The Trump administration took a controversial approach to visitor logs, refusing to release them. The Obama administration released such records — minus Social Security numbers — starting in 2009, and President Biden has continued the practice. 

When the Jan. 6 committee sought some Trump administration logs, Trump argued that they were subject to executive privilege. A Biden administration lawyer told David Ferriero, archivist of the United States, in February 2022 that such a designation was “not justified.”

The Government Publishing Office eventually posted the logs online in early January, when the Jan. 6 committee wrapped up its work.

In all, the spreadsheet containing the Social Security numbers was downloaded around 175 times in the 38 hours that it was online, GPO acting inspector general Nathan Deahl wrote in the report released last month. Less than 15 minutes after The Post sought comment from GPO, officials removed the file.

Moving parts

The report doesn’t say just one agency was at fault for the incident. It did, however, appear to lay some of the blame for a rushed process with the Jan. 6 committee.

The committee “surprised” GPO in December by requesting that it publish hundreds of additional documents referenced in the report, including transcripts and spreadsheets, Deahl wrote. At the time, the select committee said there was no sensitive information included in the materials, he wrote.

And the problems didn’t end with the leak of Social Security numbers, Deahl wrote in his report.

Officials replaced the spreadsheet with a partially redacted spreadsheet. But that file contained visits that the Jan. 6 committee agreed to keep confidential, the watchdog said. 

  • The second file was downloaded more than 700 times during the 28 additional days it was online. It was replaced on Feb. 1 with a heavily redacted spreadsheet.
  • GPO “believes that the document currently posted on GovInfo reflects the Select Committee’s original intention for what should have been released,” Somerset, the GPO spokesman, told The Post.

And other sensitive documents were also posted online — apparently with unredacted details.

  • Hours after The Post first asked GPO about the Social Security numbers, a federal agency told GPO that it found three documents that “contained Law Enforcement Sensitive Information and were not redacted as agreed to by the Select Committee,” the watchdog wrote. GPO removed those files “within hours,” the IG wrote.

National Archives: The National Archives and Records Administration was also involved in the process. The committee was, “at least in part,” relying on the National Archives to provide redacted documents, according to the inspector general. The National Archives declined to comment.

There also appear to have been issues beyond anyone’s immediate control. For example, when GPO learned that the Social Security numbers had been published, the House hadn’t chosen a speaker — meaning the office’s congressional oversight committee hadn’t yet formed.

The IG made three recommendations, including having agencies tell GPO that their documents don’t have sensitive information and that they will be responsible for responding to any PII leaks. They also recommended that GPO ask Congress for permission to proactively remove documents with sensitive information.

“As the draft report notes, decisions were required in real time without clear authority or a customer from whom to seek guidance,” GPO Director Hugh Halpern wrote in a memo to the IG that agreed with those suggestions. “I believe the Agency did the best it could under the circumstances, but there is always room for improvement.”

The keys

FBI, DOJ investigating ByteDance spying on journalists through TikTok

The FBI and Justice Department are investigating the events that prompted China-based ByteDance to use TikTok to spy on journalists, Emily Baker-White reports for Forbes. TikTok parent ByteDance was subpoenaed, and the FBI is conducting interviews, the report says, citing people familiar with the situation.

Baker-White reported in December that she and others had been spied on by ByteDance, which reportedly tracked multiple journalists that covered the company through their IP addresses

“We have strongly condemned the actions of the individuals found to have been involved, and they are no longer employed at ByteDance. Our internal investigation is still ongoing, and we will cooperate with any official investigations when brought to us,” ByteDance spokesperson Jennifer Banks said in the report. TikTok did not respond to the outlet’s request for comment.

The report is the first documenting a U.S. government investigation of surveillance by ByteDance. It comes a week before TikTok CEO Shou Zi Chew is set to testify before a House panel. 

Senate group asks CISA to revisit analysis of Chinese drone maker

A Senate group led by Senate Intelligence Committee Chairman Mark R. Warner (D-Va.) and Marsha Blackburn (R-Tenn.) asked Cybersecurity and Infrastructure Security Agency Director Jen Easterly to revisit the agency’s analysis of DJI, a popular drone manufacturer headquartered in China.

In a letter sent Thursday, the group says the company’s known links to the Chinese government make the use of DJI a potential security risk, citing Defense Department research on China’s military-civil fusion strategy that meshes China’s civilian science and tech efforts with its military.

CISA previously addressed DJI as a strong concern in a 2019 industry alert and warned entities to be cautious in purchasing DJI products.

Despite risks the company poses, the use of DJI drones remains widespread throughout the United States, the letter said.

“In 2021, it was reported that DJI controlled almost 90% of the consumer market in North America and over 70% of the industrial market,” it said.

Avery Mulligan, CISA’s senior adviser for public affairs, said the agency does not comment on congressional correspondence and will respond to the senators directly. DJI has long said that it does not get direct investment from China’s government and is privately-held.

Chinese hacks have quietly hit U.S. government, businesses for years, report says

State-sponsored Chinese hackers have quietly hacked U.S. victims without prior detection for several years, the Wall Street Journal’s Robert McMillan and Dustin Volz report, citing findings from Google’s Mandiant

The report comes amid heightened scrutiny over Chinese surveillance and cyber activities, spanning from spy balloons to social media

Charles Carmakal, Mandiant’s chief technology officer, told the reporters that defense contractors, government agencies, and technology and telecommunications companies appeared to be the greatest victims of the attacks, the report said.

The attacks have compromised devices on the edge of computer networks that normally are not equipped with firewalls or anti-virus software, with Carmakal later adding that the nature of the attacks makes them hard to investigate.

The Chinese Embassy in Washington did not immediately respond to the reporters’ request for comment.

Government scan

White House tech council launches cyber-physical resilience working group (NextGov)

Securing the ballot

MyPillow CEO must face ex-Dominion exec's defamation suit (Law360)

Industry report

Wawa to pay up to $28.5M in data breach settlement (Cybersecurity Dive)

Scammers target Cloudflare CEO with Silicon Valley Bank-themed spearphishing  (CyberScoop)

Global cyberspace

Russia-aligned ‘Winter Vivern’ hackers spotted targeting Ukraine, Europe, India (The Record)

Outlook zero day linked to critical infrastructure attacks (Cybersecurity Dive)

Cyber insecurity

Don’t get hacked on Facebook. Do these 6 things now. (Heather Kelly)

On-the-run hacker who allegedly breached federal cop database arrested in Florida (Motherboard)

Google finds 18 zero-day vulnerabilities in Samsung Exynos chipsets (Bleeping Computer)

Google warns users to take action to protect against remotely exploitable flaws in popular Android phones (TechCrunch)

Secure log off

Thanks for reading. See you tomorrow.