Attention: You are using an outdated browser, device or you do not have the latest version of JavaScript downloaded and so this website may not work as expected. Please download the latest software or switch device to avoid further issues.

LEARN > Press Releases and Statements > Statement on the Congressional Budget Office Security Incident

Statement on the Congressional Budget Office Security Incident

The incident underscores the need for transparency and robust safeguards as the CBO exercises its newly enhanced data acquisition powers under Congressional Budget Office Data Sharing Act.
13 Nov 2025
Written by J.B. Wogan
Press Releases and Statements

FOR IMMEDIATE RELEASE 

November 12, 2025 – WASHINGTON, D.C. – The Data Foundation is deeply concerned by reports that the Congressional Budget Office (CBO) has been compromised by an ongoing cyber intrusion from suspected foreign actors. This security incident comes at a key time, during a government shutdown and just over a year after Congress authorized the Congressional Budget Office Data Sharing Act (P.L. 118-89), granting CBO significantly expanded authorities to access sensitive data from executive branch agencies about American people and businesses.

According to public reports, the breach potentially exposed CBO's communications with congressional offices and may have compromised sensitive economic policy information, including cost estimates, legislative analyses, and budget projections. Media accounts suggest the Senate sergeant at arms warned congressional staff that the incident is "ongoing" and that CBO accounts may still be compromised. 

The following is a statement from Data Foundation President & Chief Executive Officer Nick Hart:

The timing and nature of this breach underscore the urgent need for transparency and robust safeguards as CBO exercises its newly enhanced data acquisition powers. Congress authorized CBO to obtain materials from executive branch agencies with or without written agreements, provided it maintains appropriate confidentiality protections. This Congressional authorization includes access to sensitive information about individuals and businesses across a wide range of policy areas—from economic forecasting to analyses of major legislative proposals.

CBO analyzes some of the most sensitive and consequential policy issues facing the nation, from immigration enforcement to trade policy to major fiscal legislation. The compromise of such analysis could provide foreign adversaries with strategic insights into U.S. policy deliberations and economic planning.

Just one month ago, I applauded the entire CBO leadership team for demonstrating systematic transparency about its data practices. I noted that CBO's publishing on how it accesses and uses data from other agencies represents the level of transparency every public sector agency should be demonstrating. CBO has shown professionalism and commitment to responsible data practices. However, the reported hack is deeply alarming not only because of what may have been compromised in this incident, but because of the broader implications for protecting sensitive data about the American people and businesses that Congress authorized CBO to access under the new law. Congress needs full transparency about what data was accessed, what safeguards failed, and what steps are being taken to secure the sensitive information CBO now has enhanced authority to access.

The breach also comes amid a record 43-day government shutdown that stretched cybersecurity resources thin across federal agencies, with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) having furloughed roughly two-thirds of its workforce. This context makes the security incident even more troubling and highlights the vulnerability of federal data systems when resources are constrained.

On behalf of the Data Foundation, I call for:

  • Increased Transparency: CBO and relevant oversight bodies should provide Congress and the public with a comprehensive accounting of what data was compromised, the scope of the intrusion, and the timeline of the breach—including details about what sensitive data from executive branch agencies may have been exposed.
     
  • Security Assessment: An independent evaluation of CBO's cybersecurity infrastructure and practices, particularly in light of its newly expanded data access authorities under the CBO Data Sharing Act and the challenges posed by the ongoing government shutdown.
     
  • Implementation Review: Congress should examine how the CBO Data Sharing Act is being implemented and whether additional privacy protections, security requirements, and oversight mechanisms are needed before CBO further expands its access to sensitive data about the American people and businesses that Congress has authorized it to obtain.
     
  • Reauthorization Framework: As the Data Foundation noted in our September 2024 statement on the passage of the CBO Data Sharing Act, there are opportunities to better align this type of data sharing authority with Fair Information Practice Principles and the Five Safes Framework. This incident reinforces the need for periodic reauthorization requirements that would allow Congress to review CBO's data practices, security posture, and compliance with privacy protections before continuing expanded data access authorities.
     
  • Adequate Cybersecurity Resources: Congress must ensure that when it provides agencies expanded access to sensitive data, those agencies have the resources and personnel necessary to protect that information—particularly during periods of constrained government operations.

The Data Foundation supports the additional $2.75 million in cybersecurity resources for CBO included in the Senate-passed full-year Legislative Branch Appropriations Act, 2026 (initially voted on November 9, 2025—just two days after news of this breach at CBO became public). This incident starkly illustrates that cybersecurity resources must be provided to agencies before—not after—a breach occurs. 

The American people deserve confidence that when government agencies are granted access to sensitive data about their lives and businesses, that information is protected with the highest levels of security. This breach is a stark reminder that expanded data sharing must be accompanied by commensurate investments in cybersecurity, robust oversight, and the resources needed to proactively defend against sophisticated threats.

The Data Foundation has long supported CBO's vital nonpartisan work and its transparency in implementing the data sharing law. We remain committed to evidence-informed policymaking with strong data protections, and stand ready to work with Congress, CBO, and relevant stakeholders to ensure enhanced data access is balanced with the security and privacy protections the public deserves.

###

About the Data Foundation

The Data Foundation is a non-profit organization based in Washington, D.C. that champions the use of open data and evidence-informed public policy to make society better for everyone. As a nonpartisan think tank, we conduct research, collaborative thought leadership, and advocacy programs that advance practical policies for the creation and use of accessible, trustworthy data. Our activities proactively address emerging data-related needs in the country with the goal of devising realistic solutions, accelerating policy coordination, and advancing innovation. The Data Foundation is recognized by Candid Guidestar with the Platinum Seal of Transparency and received 4-Stars from Charity Navigator. To learn more, visit www.datafoundation.org. (LEI: 254900I43CTC59RFW495)

image

DATA FOUNDATION
1100 13TH STREET NORTHWEST
SUITE 800, WASHINGTON, DC
20005, UNITED STATES

INFO@DATAFOUNDATION.ORG

FINANCIAL REPORTS
BLOGS
STATEMENTS
RESOURCES
JOIN THE DATA COALITION
SIGN UP FOR OUR NEWSLETTER

image
This website is powered by
ToucanTech