alt Hacker NewsUS cybersecurity chief leaked sensitive government files to ChatGPT: Report
Comments
This administration's op-sec has been consistently "barney fife" levels of incompetence.
It's bizarre that someone would choose to use the public, 4o bot over the ChatGPT Pro level bot available in the properly siloed and compliant Azure hosted ChatGPT already available to them at that time. The government can use segregated secure systems set up specifically for government use and sensitive documents.
It looks like he requested and got permission to work with "For Unofficial Use Only" documents on ChatGPT 4o - the bureaucracy allowed it - and nobody bothered to intervene. The incompetence and ignorance both are ridiculous.
Fortunately, nothing important was involved - it was "classified because everything gets classified" bureaucratic type classification, but if you're CISA leadership, you've gotta be on the ball, you can't do newbie bullshit like this.
Better to read the original story from Politico.
https://www.politico.com/news/2026/01/27/cisa-madhu-gottumuk...
People were already careless with social media which was openly public. I imagine it’ll be worse with these LLMs for the average person.
It’s absolutely necessary to have ChatGPT.com blocked from ITAR/EAR regulated organizations, such as aerospace, defense, etc. I’m really shocked this wasn’t already the case.
I really enjoyed unchecking all those cookie controls. Of the 1668 partner companies who are so interested in me, a good third have a "legitimate interest". With each wanting to drop several cookies, it seems odd that Privacy Badger only thinks there are 19 cookies to block. Could some of them be fakes - flooding the zone?
Damn. I forgot to read the article.
Sounds about on par with what I would expect competence wise.
I for one, after doing a bit of reserach, was shocked to find out the person in question is apparently completely unqualified for the job (if him pasting sensitive information into public ChatGPT didn't already make that abundantly clear). But the highlight from his Wikipedia page is this one:
>In December 2025, Politico reported that Gottumukkala had requested to see access to a controlled access program—an act that would require taking a polygraph—in June. Gottumukkala failed the polygraph in the final weeks of July. The Department of Homeland Security began investigating the circumstances surrounding the polygraph test the following month and suspended six career staffers, telling them that the polygraph did not need to be administered.[12]
So the guy failed a polygraph to access a highly controlled system full of confidential information, and the solution to that problem was to fire the people in charge of ensuring the system was secure.
We're speed running America into the ground and half the country is willfully ignorant to it happening.
Well they’re about to solve that by intentionally cramming it into grok instead
I would like to be able to say that it is uncommon, but based on what I am seeing in my neck of the woods, all sorts of, one would think, private information is ingested by various online llms. I would have been less annoyed with it had those been local deployments, but, uhhh, to say it is not a first choice is being over the top charitable with current corporates. And it is not even question of money! Some of those corps throw crazy money at it.
edit: Just in case, in the company I currently work at, compliance apparently signed off on this with only a rather slim type of data verbotten from upload.
I wonder how far removed the interim director of the CISA is from any real world security. I bet they have not seen or solved any real security problems and merely are an executive looking over cybersec. This probably is another example of why you need rank and file security peeps into security leadership roles rather than some random exec.
the current united states government is staffed mostly with unserious people, or people who are serious about doing crimes against humanity. there's very little in between.
I adore that this guy had security clearance and I doubt I'd clear that bar. Last time I looked at the interview there was a question:
> have you ever misused drugs?
and I doubt I'd be able to resist the response:
> of course not, I only use drugs properly.
also I wouldn't lie, because that's would undermine the purpose. Still sad I can't apply for SC jobs because I'm extremely patriotic and improving my nation is something that appeals.
Can't be surprised when clowns clown.
It looke like he's unfit for the position, and was using ChatGPT to burnish his reports etc.
If I did this with a banal internal documentation at work I would be written up and maybe fired over breaking known policy. This administration is so ridiculously incompetent, and interim head of cyber security.. leaks. The onion wouldn't write this.
"Information wants to be free". Government stooges help information with what it wants.
This is a "Cybersecurity chief" causing an intern-level IT incident.
In many industries, this would be a rapid incident at the company-level and also an immediate fireable offense and in some governments this would be a complete massive scandal + press conference broadcasted across the country.
BTW, what's the current status on LLMs and confidential documents ? Which license from which suppliers are fine and which aren't ?
Once again, if you or I did this, it's federal crime and federal time.
But when the chief does it, it's an oopsie poopsie "special exemption".
Where does this "cybersecurity monitoring" take place? On OpenAIs side? Or some kind of monitoring tools on the devices themself?
I wonder how they could discern the upload of sensitive documents from non-sensitive ones
How is such a critical position filled with a foreign national?
My assumption is that it goes the other direction on a permanent basis.
> Cybersecurity monitoring systems then reportedly flagged the uploads in early August. That triggered a DHS-led damage assessment to determine whether the information had been exposed.
So it means, a DLP solution, browsers trusting its CA and it silently handling HTTP in clear-text right?
Chalaki
Well, at least there's gonna be a swift and appropriate punishment. LOL
From wikipedia:
He graduated from Andhra University with a bachelor of engineering in electronics and communication engineering, the University of Texas at Arlington with a master's degree in computer science engineering, the University of Dallas with a Master of Business Administration in engineering and technology management, and Dakota State University with a doctorate in information systems.
And he still manages to make a rookie mistake. Time to investigate Mr. Gottumukkala's credentials. I wouldn't be surprised if he's a fraud.
https://en.wikipedia.org/wiki/Madhu_Gottumukkala
He was the 'CTO' of South Dakota and later the CIO/Commissioner of the South Dakota Bureau of Information and Telecommunications under governor Kristi Noem.
Edit: (From a European perspective) it seems like the southern states really took over the US establishment. I hadn't really grasped the level of it, before.
The meritocracy strikes again.
and which MTV reality show was this "cybersecurity chief" plucked from ?
[dead]
Leaked is not the correct word here. Generally as it's used, it implies some intent to disclose, the information for it's own purposes. You would call a disclosure to the war thunder forums a leak, because the intent was to use that information to win an argument. You wouldn't call Leaving boxes of classified information in a wearhouse where you'd normally read them a leak. (At least not as a verb). Likewise you wouldn't call it a leak if you mistakenly abandoned them in a park.
That said, IIRC For Official Use Only is the lowest level of classification (note not classified) it's not even NOFORN. It's even multiple levels below Sensitive But Unclassified.
So, who cares?
Much more significant is he failed the SCI/full poly... that means you lied about something. Yes I know polys don't work, but the point of the poly is to try to ensure you've disclosed everything that could be used against you, which ideally means no one could flip you or manipulate you. The functional part is to determine if you have anxiety about things you might try to hide, because that fear can be used against you. No fear/anxiety, or nothing you're trying to hide means you're harder to manipulate.
That feels bad even ignoring the whole hostile spys kinda thing.
I’m a little surprised by the takes in the comments. Obviously, heads of departments or agencies, CEOs, or similar personnel are generally not in the same league as normal employees when it comes to compliance.
Productivity and efficiency are key for their work. I am sure there are lots of Sysadmins here, that had to disable security controls for a manager or had to configure something in a way to circumvent security controls from actually working. I have been in many situations where I have been asked by IT colleagues if doing something like that was fine, because an executive had to read a PowerPoint file NOW.
There have to be GovCloud only LLMs just for this case.
I swear this government is headed by appointed nephews of appointed nephews.
I keep thinking back about that Chernobyl miniseries; head of the science department used to run a shoe factory. No one needs to be competent at their job anymore