Washington, D.C. Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Washington, D.C. occupies a unique position in the American cybersecurity landscape. As the seat of the federal government and home to hundreds of lobbying firms, think tanks, NGOs, and international organizations, the District processes some of the most sensitive data in the world on a daily basis. Nation-state actors, ransomware gangs, and hacktivists all view D.C. as a high-value target, and the density of government-adjacent organizations means that even small contractors and nonprofits find themselves in the crosshairs of sophisticated adversaries.

The incidents documented below illustrate the breadth of cyber risk in the District. From massive federal agency breaches to targeted attacks on D.C.'s own government systems, each case carries practical lessons for organizations operating in or around the nation's capital. For a broader view of the threat environment, see our analysis of the D.C. cyber threat landscape, and for regulatory obligations, review our guide to D.C. cybersecurity compliance requirements.

Major Cyber Incidents in Washington, D.C.: A Timeline

2014–2015 — U.S. Office of Personnel Management (OPM) Breach

The OPM breach remains one of the most consequential cyberattacks in U.S. history. Attackers, attributed to Chinese state-sponsored hackers, exfiltrated personnel records for approximately 4.2 million current and former federal employees and security clearance background investigation files for 21.5 million individuals. The stolen data included Social Security numbers, fingerprint records, and detailed personal histories from SF-86 security clearance questionnaires. The breach led to the resignation of OPM Director Katherine Archuleta and prompted a wholesale restructuring of federal cybersecurity governance, including the creation of the Cybersecurity and Infrastructure Security Agency (CISA).

2015 — White House Unclassified Email Network Compromise

Russian state-sponsored hackers, identified as the group known as Cozy Bear (APT29), breached the White House's unclassified email network in late 2014, with the intrusion confirmed publicly in 2015. The attackers gained access through a phishing email sent to a State Department employee, then pivoted laterally to the White House network. While classified systems were reportedly not compromised, the incident demonstrated that even the most prominent organizations in D.C. are vulnerable to spear-phishing campaigns that exploit human error.

2017 — D.C. Metropolitan Police Surveillance Camera Hack

In January 2017, just days before the presidential inauguration, hackers compromised 123 of the D.C. Metropolitan Police Department's 187 outdoor surveillance cameras. Romanian nationals were later arrested and charged with the attack, which involved installing ransomware on the recording devices. The cameras were offline for approximately 48 hours during one of the most security-sensitive periods in the city's calendar. The Secret Service and FBI assisted in the investigation and recovery.

2021 — D.C. Metropolitan Police Department Ransomware Attack

The Babuk ransomware group attacked the D.C. Metropolitan Police Department in April 2021, stealing approximately 250 gigabytes of data including personnel files, disciplinary records, intelligence reports, and informant information. When the department refused to meet the group's ransom demand, the attackers published sensitive internal documents on their leak site. The breach was particularly damaging because the leaked files included information about confidential informants and ongoing investigations, potentially endangering lives. The incident highlighted the severe consequences of ransomware attacks targeting law enforcement agencies.

2023 — D.C. Health Link Data Breach

In March 2023, D.C. Health Link, the District's health insurance marketplace serving members of Congress, congressional staff, and D.C. residents, suffered a breach that exposed the personal information of approximately 56,415 individuals. The stolen data, which appeared for sale on a dark web forum, included names, Social Security numbers, dates of birth, and health plan enrollment information. The breach drew national attention because it affected sitting members of Congress. The FBI launched an investigation, and the D.C. Health Benefit Exchange Authority engaged forensic investigators to determine the root cause, which was traced to a misconfigured server.

2023 — U.S. Marshals Service Ransomware Attack

In February 2023, the U.S. Marshals Service disclosed a ransomware attack that compromised a system containing law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of investigations, third parties, and certain employees. The affected system was disconnected, and the Department of Justice initiated a forensic investigation. The incident underscored that even federal law enforcement agencies with significant resources remain vulnerable to ransomware.

2024 — National Defense University Email Compromise

In early 2024, the National Defense University at Fort McNair in D.C. disclosed that a phishing campaign had compromised multiple faculty and staff email accounts. The compromised accounts contained research correspondence, student records, and in some cases controlled unclassified information related to defense policy. The Department of Defense mandated a security review across all professional military education institutions in response.

D.C.'s Data Breach Notification Law

The District of Columbia's breach notification requirements are governed by the Security Breach Notification Act, D.C. Code Section 28-3852. The law requires any person or entity that owns or licenses computerized personal information of D.C. residents to notify affected individuals in the most expedient time possible and without unreasonable delay following the discovery of a breach. An amendment effective March 2020 requires notification to the D.C. Attorney General when a breach affects 50 or more D.C. residents.

Personal information under the statute includes an individual's name combined with Social Security numbers, driver's license numbers, financial account numbers, or medical information. The law also covers biometric data and health insurance information following the 2020 amendments. The Attorney General has enforcement authority under the District's consumer protection laws. Organizations operating in D.C. should consult our D.C. compliance and data privacy law guide for a detailed breakdown of these requirements.

Which D.C. Industries Are Most Targeted?

Federal Government and Contractors

The federal government is the largest employer in the District, and the thousands of contractors, subcontractors, and consultants who support federal agencies create an extended attack surface that adversaries aggressively target. Nation-state actors from China, Russia, Iran, and North Korea routinely target D.C.-based government contractors as a pathway to federal networks. Even small firms holding government contracts must meet stringent cybersecurity standards under frameworks like CMMC and NIST 800-171.

Law Firms and Lobbying Organizations

K Street and the surrounding corridors are home to some of the most influential law firms and lobbying organizations in the world. These firms handle extraordinarily sensitive information — merger and acquisition details, regulatory strategy documents, and privileged attorney-client communications — making them prime targets for economic espionage. Organizations in the legal sector should explore managed IT services designed for law firms to address these unique risks.

Nonprofits, Think Tanks, and NGOs

D.C. hosts more nonprofit organizations per capita than any other U.S. city. Many of these organizations operate on tight budgets with limited IT staff, yet they handle sensitive donor data, policy research, and in some cases information about vulnerable populations. Nation-state actors have targeted think tanks like the Council on Foreign Relations and the Brookings Institution for intelligence gathering. Nonprofits should consider managed IT services built for nonprofit organizations to build resilience without overextending their budgets.

What D.C. Businesses Must Do After a Breach

When a D.C. organization discovers a data breach, the response must be swift and methodical. Under D.C. Code Section 28-3852, notification to affected individuals must occur without unreasonable delay. If the breach affects 50 or more residents, the organization must also notify the D.C. Attorney General. Beyond legal compliance, organizations should immediately engage forensic investigators to determine the scope of the intrusion, preserve evidence for potential law enforcement involvement, and begin remediation of the exploited vulnerability.

Organizations should also activate their incident response plan, notify their cyber insurance carrier, and prepare communications for affected stakeholders. Given D.C.'s high-profile environment, breaches frequently attract media attention, making a well-prepared communications strategy essential. For federal contractors, additional reporting obligations may apply under DFARS clause 252.204-7012, which requires reporting cyber incidents to the Department of Defense within 72 hours.

How to Protect Your D.C. Business Before an Incident

• Implement zero-trust architecture: In an environment where nation-state actors are a realistic threat, perimeter-based security is insufficient. Zero-trust principles — verify every user, device, and connection — are essential for D.C. organizations.

• Deploy endpoint detection and response (EDR): EDR solutions provide the visibility needed to detect lateral movement and advanced persistent threats that target government-adjacent organizations.

• Conduct regular penetration testing: Annual penetration tests help identify vulnerabilities before adversaries do, and are increasingly required by federal contract compliance frameworks.

• Invest in security awareness training: Phishing remains the most common initial access vector in D.C. breaches. Regular, scenario-based training reduces the likelihood of a successful social engineering attack.

• Establish an incident response plan: Every D.C. organization should maintain a written, tested incident response plan that accounts for the District's notification requirements and any federal reporting obligations. Consider partnering with a managed IT security services provider to ensure around-the-clock monitoring and rapid response capabilities.

Frequently Asked Questions

What was the largest data breach in Washington, D.C. history?

The 2014–2015 OPM breach is the largest, exposing personnel records for 4.2 million federal employees and security clearance files for 21.5 million individuals. The breach is considered one of the most damaging cyberattacks in U.S. government history due to the sensitivity of the data compromised.

Does D.C. have its own data breach notification law?

Yes. The District of Columbia's Security Breach Notification Act, codified at D.C. Code Section 28-3852, requires notification to affected individuals without unreasonable delay and notification to the D.C. Attorney General when 50 or more residents are affected.

Which industries in D.C. face the highest cyber risk?

Federal government agencies and contractors, law firms, lobbying organizations, and nonprofits face the highest risk. The presence of nation-state actors targeting government-adjacent organizations makes D.C.'s threat landscape more severe than most U.S. cities.

Are D.C. nonprofits required to comply with breach notification laws?

Yes. The D.C. Security Breach Notification Act applies to any person or entity that owns or licenses computerized personal information of D.C. residents, regardless of whether the organization is for-profit or nonprofit.

What federal cybersecurity requirements apply to D.C. contractors?

Federal contractors in D.C. may need to comply with NIST SP 800-171, the Cybersecurity Maturity Model Certification (CMMC), DFARS clause 252.204-7012, and FedRAMP for cloud services, depending on the nature of their contracts and the data they handle.

How do D.C. organizations report a data breach?

Organizations must notify affected individuals directly and, if 50 or more D.C. residents are affected, file a notification with the D.C. Attorney General's office. Federal contractors may have additional reporting obligations to their contracting agency and the Department of Defense Cyber Crime Center (DC3).