Politics

US cybersecurity agency faces internal review after sensitive documents uploaded to ChatGPT

Thursday, 29 January 2026 9:47PM UTC

The acting director of the Cybersecurity and Infrastructure Security Agency prompted an internal review after confidential federal documents labelled 'for official use only' were uploaded into the public ChatGPT platform, highlighting growing risks of AI use in government agencies.

The acting director of the Cybersecurity and Infrastructure Security Agency has prompted an internal security review after sensitive federal contracting documents labelled "for official use only" were uploaded into the public version of ChatGPT, multiple news outlets report. According to Politico and subsequent coverage, the transfers took place in mid-July through early August 2025, weeks after Madhu Gottumukkala became acting director in May. Automated monitoring within the Department of Homeland Security detected the activity and generated alerts that escalated to senior DHS cybersecurity teams. (Sources: Times of India, Cybernews)

CISA has acknowledged the event but sought to frame it as performed under constrained authorisation. A CISA spokesperson, Marci McCarthy, told reporters the use of ChatGPT occurred "with DHS controls in place" and under a "short-term and limited" exception, and CISA's logs show Gottumukkala's last recorded access to the public platform in mid-July 2025. Nevertheless, agency sensors repeatedly flagged the uploads as potential data exfiltration incidents, prompting an ordered damage assessment consistent with DHS policy when sensitive information is moved outside secure networks. (Sources: Times of India, Cybernews, Financial Express)

Government officials interviewed by press outlets described a rapid internal response that included meetings between Gottumukkala and senior agency advisers, and the opening of a formal review to determine whether the FOUO material had been compromised or required personnel action. Insiders speaking on condition of anonymity told The Independent that CISA's chief information officer and chief counsel were present in mid-summer discussions about proper handling of FOUO-designated records. The findings of that review have not been released publicly. (Sources: Lead LinkedIn item, Times of India)

Critics inside the agency have voiced stronger condemnations, with at least one current official quoted by multiple outlets alleging that the acting director "forced CISA's hand" to secure the exemption and then "abused it." That account contrasts with CISA's public description of the access as controlled, underscoring internal divisions over leadership decisions at a time when the agency is confronting both budgetary pressures and morale challenges. (Sources: Lead LinkedIn item, NDTV)

The episode highlights broader risks as federal bodies experiment with generative AI. Academic research and reporting have repeatedly warned that public AI platforms can retain user inputs and use them to refine models, potentially exposing sensitive operational details unless inputs are routed through enterprise or government-controlled instances with strict data governance. For agencies responsible for defending against state-sponsored cyber threats, even unclassified but operationally sensitive contracting and architecture information can yield actionable insights for adversaries. (Sources: Lead LinkedIn item, Cybernews)

Gottumukkala's ascent to the acting directorship and his résumé were widely reported in profiles that note a background in state government and private-sector IT leadership. He assumed deputy director duties in April 2025 and became acting director later that month; biographical summaries state he previously served in senior technology posts in South Dakota and holds advanced degrees in engineering, computer science and information systems. Recent reporting also recounts separate internal controversies during his tenure, including a disputed polygraph process and personnel actions that have already prompted additional inquiries. (Sources: Times of India profile, Wikipedia, Financial Express)

The incident is likely to attract attention from Congressional committees overseeing homeland security and federal cybersecurity practices, where bipartisan concern about AI adoption and data controls has grown. Lawmakers have signalled an appetite for tighter rules governing when and how public generative AI tools may be used with government information, and this case could be cited as an example reinforcing calls for stricter protocols, real-time monitoring and clearer accountability. (Sources: Lead LinkedIn item, Times of India, Financial Express)

Source Reference Map

Inspired by headline at: ^[1]

Sources by paragraph:

Paragraph 1: ^[2], ^[3]
Paragraph 2: ^[2], ^[3], ^[6]
Paragraph 3: ^[1], ^[2]
Paragraph 4: ^[1], ^[7]
Paragraph 5: ^[1], ^[3]
Paragraph 6: ^[4], ^[5], ^[6]
Paragraph 7: ^[1], ^[2], ^[6]

Source: Noah Wire Services

More on this

https://www.linkedin.com/pulse/united-states-cyber-defence-chief-uploaded-sensitive-sq2re - Please view link - unable to able to access data
https://timesofindia.indiatimes.com/world/us/for-official-use-only-indian-origin-cisa-acting-director-madhu-gottumukkala-uploaded-sensitive-government-files-to-public-chatgpt-triggering-security-alarms/articleshow/127736058.cms - The Times of India reports that Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency (CISA), uploaded sensitive government files marked 'For Official Use Only' to a public version of ChatGPT. This action triggered multiple automated security warnings within the Department of Homeland Security (DHS). The incident occurred in mid-July through early August 2025, shortly after Gottumukkala assumed his role in May 2025. He had obtained special permission to use ChatGPT, which was otherwise blocked for other DHS employees. The uploads led to an internal review to assess potential security risks. CISA spokesperson Marci McCarthy stated that Gottumukkala's use of ChatGPT was conducted 'with DHS controls in place' under a 'short-term and limited' exception. However, internal critics described his actions as a misuse of privileged access. The full extent of any compromise remains unclear, and the findings of the internal review have not been publicly released.
https://cybernews.com/security/madhu-gottumukkala-cisa-chatgpt/ - Cybernews reports that Madhu Gottumukkala, acting head of CISA, uploaded sensitive 'For Official Use Only' documents into the public version of ChatGPT, triggering security alerts. Despite ChatGPT being blocked for other DHS employees, Gottumukkala received special permission to use the AI tool. The incident occurred in mid-July through early August 2025, shortly after he assumed his role in May 2025. The uploads led to an internal review to assess potential security risks. CISA spokesperson Marci McCarthy stated that Gottumukkala's use of ChatGPT was 'short-term and limited' under authorized exceptions. The full extent of any compromise remains unclear, and the findings of the internal review have not been publicly released.
https://timesofindia.indiatimes.com/world/us/meet-madhu-gottumukkala-indian-origin-us-cybersecurity-chief-accused-of-sharing-internal-files-on-chatgpt/articleshow/127777448.cms - The Times of India provides background on Madhu Gottumukkala, the acting director of CISA, who is accused of uploading internal files to ChatGPT. The incident occurred in mid-July through early August 2025, shortly after Gottumukkala assumed his role in May 2025. He had obtained special permission to use ChatGPT, which was otherwise blocked for other DHS employees. The uploads led to an internal review to assess potential security risks. CISA spokesperson Marci McCarthy stated that Gottumukkala's use of ChatGPT was conducted 'with DHS controls in place' under a 'short-term and limited' exception. The full extent of any compromise remains unclear, and the findings of the internal review have not been publicly released.
https://en.wikipedia.org/wiki/Madhu_Gottumukkala - The Wikipedia page on Madhu Gottumukkala details his background and career. Born on October 29, 1976, in Andhra Pradesh, India, he earned a bachelor's degree in electronics and communication engineering from Andhra University. He later completed a master's degree in computer science engineering at the University of Texas at Arlington, an MBA in engineering and technology management from the University of Dallas, and a doctorate in information systems from Dakota State University. Prior to joining CISA, Gottumukkala held senior technology leadership roles in South Dakota state government, including serving as chief information officer and commissioner of the South Dakota Bureau of Information and Telecommunications from September 2024 to May 2025. He assumed the role of acting director of CISA in May 2025.
https://www.financialexpress.com/world-news/us-news/who-is-madhu-gottumukkala-trumps-cyber-agency-chief-uploaded-sensitive-files-to-chatgpt/4122714/lite/ - The Financial Express reports that Madhu Gottumukkala, acting director of CISA, uploaded sensitive 'For Official Use Only' documents into the public version of ChatGPT, triggering security alerts. Despite ChatGPT being blocked for other DHS employees, Gottumukkala received special permission to use the AI tool. The incident occurred in mid-July through early August 2025, shortly after he assumed his role in May 2025. The uploads led to an internal review to assess potential security risks. CISA spokesperson Marci McCarthy stated that Gottumukkala's use of ChatGPT was 'short-term and limited' under authorized exceptions. The full extent of any compromise remains unclear, and the findings of the internal review have not been publicly released.
https://www.ndtv.com/world-news/trumps-indian-origin-cyber-chief-madhu-gottumukkala-uploaded-critical-files-on-chatgpt-report-10903996/amp/1 - NDTV reports that Madhu Gottumukkala, acting director of CISA, uploaded sensitive 'For Official Use Only' documents into the public version of ChatGPT, triggering security alerts. Despite ChatGPT being blocked for other DHS employees, Gottumukkala received special permission to use the AI tool. The incident occurred in mid-July through early August 2025, shortly after he assumed his role in May 2025. The uploads led to an internal review to assess potential security risks. CISA spokesperson Marci McCarthy stated that Gottumukkala's use of ChatGPT was 'short-term and limited' under authorized exceptions. The full extent of any compromise remains unclear, and the findings of the internal review have not been publicly released.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 8

Notes: The incident involving Madhu Gottumukkala uploading sensitive documents to ChatGPT was reported by multiple reputable sources on January 28, 2026, indicating recent and original reporting. ([techcrunch.com](https://techcrunch.com/2026/01/28/trumps-acting-cybersecurity-chief-uploaded-sensitive-government-docs-to-chatgpt/?utm_source=openai))

Quotes check

Score: 7

Notes: Direct quotes from CISA spokesperson Marci McCarthy and other officials are consistent across sources, suggesting accurate reporting. However, some sources paraphrase statements, which may introduce slight variations. ([timesofindia.indiatimes.com](https://timesofindia.indiatimes.com/world/us/for-official-use-only-indian-origin-cisa-acting-director-madhu-gottumukkala-uploaded-sensitive-government-files-to-public-chatgpt-triggering-security-alarms/articleshow/127736058.cms?utm_source=openai))

Source reliability

Score: 9

Notes: The incident has been reported by reputable outlets such as Politico, The Times of India, and Cybernews, indicating high source reliability. ([timesofindia.indiatimes.com](https://timesofindia.indiatimes.com/world/us/for-official-use-only-indian-origin-cisa-acting-director-madhu-gottumukkala-uploaded-sensitive-government-files-to-public-chatgpt-triggering-security-alarms/articleshow/127736058.cms?utm_source=openai))

Plausibility check

Score: 8

Notes: The reported incident aligns with known security protocols and the risks associated with uploading sensitive information to public AI platforms. ([cybernews.com](https://cybernews.com/security/madhu-gottumukkala-cisa-chatgpt/?utm_source=openai))

Overall assessment

Verdict (FAIL, OPEN, PASS): PASS

Confidence (LOW, MEDIUM, HIGH): HIGH

Summary: The incident involving Madhu Gottumukkala uploading sensitive documents to ChatGPT has been reported by multiple reputable sources, with consistent details and no significant discrepancies. The content is recent, original, and factual, with no paywalled material or content type concerns. Verification sources are independent and corroborate the information, leading to a high-confidence assessment.

Cybersecurity
AI regulation
Government data security