Cybersecurity Today Special Report

Episode: Exposing a Government Data Breach: Whistleblower Tells All

Release Date: May 10, 2025
Host: Jim Love
Guest: Daniel Brulis, Whistleblower

Introduction to the Incident

The episode opens with Jim Love setting the stage for a gripping discussion about a significant government data breach. He describes receiving an email accompanied by an official-looking document detailing "tenant admin abuse," which unfolds into a real-life tale reminiscent of a Hollywood thriller. The gravity of the situation is underscored when Jim admits, "When I finished this interview... my hands were shaking" (00:00).

Meet the Whistleblower: Daniel Brulis

Jim introduces Daniel Brulis, a seasoned cybersecurity professional with extensive experience in infrastructure, automation, and government consulting. Daniel shares his background, emphasizing his commitment to community service, including roles as a volunteer firefighter and counselor (02:17). His motivation for joining the federal government was driven not by financial gain but by a desire to serve and protect national interests.

Understanding Tenant Admin Abuse

Jim seeks clarity on the concept of tenant abuse, leading Daniel to explain the hierarchical structure within cloud environments like Azure. He clarifies, "Tenant would be housing all your subscriptions and your various management groups within Azure" (01:10). Daniel emphasizes that tenant-level access surpasses even that of a typical CIO, aligning with zero trust principles where such access should be reserved for "break glass" scenarios (01:37).

The Onset of Suspicion

Daniel recounts the unusual day when a high-security SUV, described with police escorts, arrived at their office (06:10). The lack of official communication about the new personnel raised red flags. The directive to grant access without standard logging procedures further deepened suspicions, prompting Daniel and his CISO to question the integrity of the operations (07:17; 08:11).

Detecting the Breach

A pivotal moment occurred when Daniel noticed a spike in outgoing data—a dramatic increase from a typically flat baseline that suggested unauthorized data exfiltration (09:02). He details his methodical approach to investigate, including checking with the security and network teams, only to discover that critical monitoring tools like packet sniffers had been disabled (10:18; 10:53).

Uncovering Anomalies

Over weeks, Daniel identified multiple anomalies: altered conditional access policies, unauthorized container creation, and suspicious login attempts from foreign IP addresses, particularly from Russia (14:06; 17:55). The creation of dubious user accounts with names like "Jamaica Whitehall" and "Chicago White Sox" further indicated a sophisticated and scripted attack (18:23).

The Internal Response

Despite escalating the issue through proper channels, Daniel and his colleagues faced resistance. Their attempts to report the breach to CISA were thwarted by higher authorities who deemed it against the agency's interests to acknowledge the breach (20:11; 21:13). Feeling isolated and witnessing a culture of fear, Daniel decided to seek external legal advice (23:16).

Taking Action: Reporting the Breach

Determined to address the wrongdoing, Daniel connected with Andrew Pukeiho, a specialized whistleblower attorney. Their collaboration led to the formal disclosure of the breach to Congress. Daniel describes his experience with Congress as surprisingly responsive and action-oriented, with immediate steps taken to investigate the incident (25:33; 29:50).

Personal Consequences and Resignation

Following the disclosure, law enforcement agencies intensified their presence at Daniel's workplace, creating an untenable work environment. Despite not being formally fired, the pressure led Daniel to resign to avoid further complications and to protect his colleagues (27:14; 28:16).

Moving Forward: Lessons and Advice

In reflecting on his ordeal, Daniel emphasizes the importance of having a robust support system, meticulous documentation, and legal guidance when facing such challenges. He advises others in similar situations to seek protection and professional counsel to navigate the complexities of whistleblowing (31:42).

Conclusion

Jim concludes the episode by expressing deep gratitude for Daniel's courage and service, highlighting the critical nature of transparency and accountability in cybersecurity. He encourages listeners to reach out with their own experiences or concerns, reinforcing the episode's message on the importance of safeguarding sensitive information and upholding ethical standards in government operations.

Notable Quotes

• Jim Love (00:00): "The only difference is this is all too real."
• Daniel Brulis (01:10): "Tenant is the highest you can go within your company."
• Jim Love (05:14): "It's the principle of least disclosure."
• Daniel Brulis (08:31): "Something's wrong here, guys. Something's fishy."
• Jim Love (09:21): "Any security professional should be looking at going, what gives?"
• Daniel Brulis (14:25): "It's a very well scripted execution."
• Jim Love (21:43): "I'm mystified."
• Daniel Brulis (26:22): "I never wanted to do it in the first place."

Timestamp Guide

• [00:00] – Introduction and setting the scene
• [01:10] – Explanation of tenant abuse
• [05:14] – Discussing the principle of least disclosure
• [08:31] – Realization that something is wrong
• [09:02] – Discovery of a spike in outgoing data
• [14:06] – Identifying additional anomalies
• [17:55] – Suspicious login attempts from Russia
• [18:23] – Creation of dubious user accounts
• [20:11] – Attempt to report the breach to higher authorities
• [21:43] – Confronting the severity of the situation
• [23:16] – Decision to seek legal counsel
• [25:33] – Interaction with Congress
• [27:14] – Personal consequences and resignation
• [28:16] – Reflecting on the decision to resign
• [31:42] – Advice to potential whistleblowers
• [32:39] – Closing remarks and gratitude

Final Thoughts

This episode of "Cybersecurity Today" sheds light on the intricate challenges faced by whistleblowers in government settings. Daniel Brulis's courageous actions highlight the critical need for transparent and accountable cybersecurity practices. Listeners are left with a profound understanding of the personal and professional risks involved in exposing internal breaches and the importance of robust support systems for those who choose to speak out.