Upon investigating suspicious activity related to an FBI surveillance system, the agency has confirmed this breach is a “major incident” under the Federal Information Security Modernization Act (FISMA), a statute regarding federal data security.

According to a notice viewed by Politico, the impacted system contained “returns from legal process, such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations.”

Pen register and trap and trace devices enable the FBI to monitor calls to and from specific phones as well as websites accessed by an internet-connected device. While communication content is not recorded by these devices, the information potentially accessed in the breach could reveal: 

• FBI criminal probes 
• Targets of FBI surveillance 

Below, security leaders discuss this breach and share insights. 

Security Leaders Weigh In

Michael Bell, Founder & CEO, Suzu Labs:

The FBI just classified the breach of its wiretap surveillance network as a FISMA major incident. The system is the Digital Collection System Network, which stores court-authorized wiretap returns, pen register metadata, FISA warrant data, and personally identifiable information on active FBI investigation targets. The attackers got in through a vendor ISP that connects to the FBI’s network, not through the FBI’s own defenses. The Wall Street Journal reports that investigators suspect Chinese government-affiliated hackers.

This is the same playbook. Salt Typhoon compromised lawful intercept systems at AT&T and Verizon in 2024 by exploiting the telecom infrastructure that CALEA requires carriers to maintain for government surveillance. Now someone used the same supply chain approach on the FBI’s end of that infrastructure. CALEA mandated wiretap capability in 1994. Nobody mandated that the capability be secured against adversaries. Senator Wyden proposed legislation to fix that after the Salt Typhoon telecom breaches. It went nowhere. The vulnerability is still open.

The data in DCSNet is among the most sensitive in federal law enforcement. Active wiretap targets, investigation subjects, counterterrorism case details. If a foreign intelligence service has that information, they know who the FBI is watching, what methods are in use, and which operations are active. That’s a counterintelligence problem that doesn’t get fixed by patching the ISP.

The FBI had at least three distinct cyber incidents in March 2026. The DCSNet breach is attributed to suspected Chinese state-sponsored actors. The Kash Patel email compromise was claimed by Iran’s Handala Hack Team. Politico reports additional intrusions involving internal systems. Multiple adversaries, different attack vectors, one agency, one month. The White House, DHS, and NSA all joined the DCSNet investigation, which is not the response you see for a routine breach.

Matt Wyckhouse, Founder and CEO, Finite State:

This is another reminder that product security is now a national security issue. Threat actors like Volt Typhoon aren’t just targeting hardened systems — they’re exploiting weaknesses across the broader connected-device ecosystem to gain access and persistence.

The U.S. still doesn’t have a consistent, enforceable baseline for product and software supply chain security, and recent moves have pushed us toward a more fragmented model. Meanwhile, Europe is putting real requirements in place through the Cyber Resilience Act.

That gap is becoming harder to justify when the same connected technologies underpin everything from consumer devices to critical infrastructure and sensitive government systems.