Exposing a Government Data Breach: Whistleblower Tells All - Cybersecurity Today Special Report - Cybersecurity Today

Summary4 min read

Cybersecurity Today Special Report

Episode: Exposing a Government Data Breach: Whistleblower Tells All

Release Date: May 10, 2025
Host: Jim Love
Guest: Daniel Brulis, Whistleblower

Introduction to the Incident

The episode opens with Jim Love setting the stage for a gripping discussion about a significant government data breach. He describes receiving an email accompanied by an official-looking document detailing "tenant admin abuse," which unfolds into a real-life tale reminiscent of a Hollywood thriller. The gravity of the situation is underscored when Jim admits, "When I finished this interview... my hands were shaking" (00:00).

Meet the Whistleblower: Daniel Brulis

Jim introduces Daniel Brulis, a seasoned cybersecurity professional with extensive experience in infrastructure, automation, and government consulting. Daniel shares his background, emphasizing his commitment to community service, including roles as a volunteer firefighter and counselor (02:17). His motivation for joining the federal government was driven not by financial gain but by a desire to serve and protect national interests.

Understanding Tenant Admin Abuse

Jim seeks clarity on the concept of tenant abuse, leading Daniel to explain the hierarchical structure within cloud environments like Azure. He clarifies, "Tenant would be housing all your subscriptions and your various management groups within Azure" (01:10). Daniel emphasizes that tenant-level access surpasses even that of a typical CIO, aligning with zero trust principles where such access should be reserved for "break glass" scenarios (01:37).

The Onset of Suspicion

Daniel recounts the unusual day when a high-security SUV, described with police escorts, arrived at their office (06:10). The lack of official communication about the new personnel raised red flags. The directive to grant access without standard logging procedures further deepened suspicions, prompting Daniel and his CISO to question the integrity of the operations (07:17; 08:11).

Detecting the Breach

A pivotal moment occurred when Daniel noticed a spike in outgoing data—a dramatic increase from a typically flat baseline that suggested unauthorized data exfiltration (09:02). He details his methodical approach to investigate, including checking with the security and network teams, only to discover that critical monitoring tools like packet sniffers had been disabled (10:18; 10:53).

Uncovering Anomalies

Over weeks, Daniel identified multiple anomalies: altered conditional access policies, unauthorized container creation, and suspicious login attempts from foreign IP addresses, particularly from Russia (14:06; 17:55). The creation of dubious user accounts with names like "Jamaica Whitehall" and "Chicago White Sox" further indicated a sophisticated and scripted attack (18:23).

The Internal Response

Despite escalating the issue through proper channels, Daniel and his colleagues faced resistance. Their attempts to report the breach to CISA were thwarted by higher authorities who deemed it against the agency's interests to acknowledge the breach (20:11; 21:13). Feeling isolated and witnessing a culture of fear, Daniel decided to seek external legal advice (23:16).

Taking Action: Reporting the Breach

Determined to address the wrongdoing, Daniel connected with Andrew Pukeiho, a specialized whistleblower attorney. Their collaboration led to the formal disclosure of the breach to Congress. Daniel describes his experience with Congress as surprisingly responsive and action-oriented, with immediate steps taken to investigate the incident (25:33; 29:50).

Personal Consequences and Resignation

Following the disclosure, law enforcement agencies intensified their presence at Daniel's workplace, creating an untenable work environment. Despite not being formally fired, the pressure led Daniel to resign to avoid further complications and to protect his colleagues (27:14; 28:16).

Moving Forward: Lessons and Advice

In reflecting on his ordeal, Daniel emphasizes the importance of having a robust support system, meticulous documentation, and legal guidance when facing such challenges. He advises others in similar situations to seek protection and professional counsel to navigate the complexities of whistleblowing (31:42).

Conclusion

Jim concludes the episode by expressing deep gratitude for Daniel's courage and service, highlighting the critical nature of transparency and accountability in cybersecurity. He encourages listeners to reach out with their own experiences or concerns, reinforcing the episode's message on the importance of safeguarding sensitive information and upholding ethical standards in government operations.

Notable Quotes

Jim Love (00:00): "The only difference is this is all too real."
Daniel Brulis (01:10): "Tenant is the highest you can go within your company."
Jim Love (05:14): "It's the principle of least disclosure."
Daniel Brulis (08:31): "Something's wrong here, guys. Something's fishy."
Jim Love (09:21): "Any security professional should be looking at going, what gives?"
Daniel Brulis (14:25): "It's a very well scripted execution."
Jim Love (21:43): "I'm mystified."
Daniel Brulis (26:22): "I never wanted to do it in the first place."

Timestamp Guide

[00:00] – Introduction and setting the scene
[01:10] – Explanation of tenant abuse
[05:14] – Discussing the principle of least disclosure
[08:31] – Realization that something is wrong
[09:02] – Discovery of a spike in outgoing data
[14:06] – Identifying additional anomalies
[17:55] – Suspicious login attempts from Russia
[18:23] – Creation of dubious user accounts
[20:11] – Attempt to report the breach to higher authorities
[21:43] – Confronting the severity of the situation
[23:16] – Decision to seek legal counsel
[25:33] – Interaction with Congress
[27:14] – Personal consequences and resignation
[28:16] – Reflecting on the decision to resign
[31:42] – Advice to potential whistleblowers
[32:39] – Closing remarks and gratitude

Final Thoughts

This episode of "Cybersecurity Today" sheds light on the intricate challenges faced by whistleblowers in government settings. Daniel Brulis's courageous actions highlight the critical need for transparent and accountable cybersecurity practices. Listeners are left with a profound understanding of the personal and professional risks involved in exposing internal breaches and the importance of robust support systems for those who choose to speak out.

Loading summary

Transcript105 lines

[00:00]
Jim Love
Welcome to Cybersecurity Today. The email was accompanied by an official looking document that started talking about tenant admin abuse. As I read on, I found myself almost unable to believe what I was reading. What followed in that document and subsequently in this interview was a tale of intrigue that might match any Hollywood movie. The only difference is this is all too real. When I finished this interview, as I said at the end of the Friday show, my hands were shaking. Welcome to Cybersecurity Today. Today's show features Daniel Brulis, a self described whistleblower. And his recent disclosure to the US Congress uncovered how tenant admin abuse let outsiders copy data from government sources and then wipe the audit trail. It's not the type of thing that happens normally in our lives. Welcome Daniel.
[01:01]
Daniel Brulis
Hey, thanks for having me Jim.
[01:03]
Jim Love
Just a minor note because I don't want to leave the audience hanging. What is tenant abuse and what is it exactly that you reported?
[01:11]
Daniel Brulis
Sure, absolutely. There's different layers of ownership within Azure in most cloud environments. And so at the highest level is what you have as the tenant. The tenant would be housing all your subscriptions and your various management groups within Azure. So essentially tenant is the highest you can go within your company. You have to go to Microsoft to get higher.
[01:31]
Jim Love
And you were saying that's a higher level of access than even a CIO would normally have.
[01:38]
Daniel Brulis
That's correct. By zero trust principles generally it's a break glass account only would be at that level. Not always followed but best practices would dictate that would be the way it should be. Yes.
[01:49]
Jim Love
Great. So we'll come back to this. The situation was at least one party having more access than they should ever possibly have and some things that happen and follow us through our conversation. Before we start, I'd like to get to know you a little better and you sent me, I guess which was your documentation that was sent to Congress and so I've read a lot about you, but I'd just like to share that with our audience. Tell us about who you are and how you got to the point in your career where you are right now.
[02:18]
Daniel Brulis
Sure, I definitely started it. Much like others end up finding a passion in something. It might have to be infrastructure. This was almost two decades ago now. And then I developed a love for automation, various scripting, different tools and that led into cybersecurity and one thing led to another. We've gotten a point now in my career where I have a jack of all trades and I've been exposed to many different sectors, many different industries in the private sector. And recently here I was doing some government consulting and positioned up a national labor relations board. And so I took that on and joined the federal government.
[02:50]
Jim Love
You're certified Azure, Amazon Web Services. You've done, you've been doing this for a long time. You also have a really great community story. You've been quite active in both community work. And one of the things that I'd read about you was that you were actually working with people who were victims of human trafficking. So you put a fair amount of your time into your community work as well.
[03:10]
Daniel Brulis
Yep, yep. I have for many years been volunteer firefighter, did the rape crisis center, counseling, do Microsoft teals. Always had a desire to give back to my community in a meaningful way. And joining the federal government was just another way to do that for me.
[03:24]
Jim Love
To be honest with you, I'm assuming with your credentials, and they are significant, I'm sure you didn't move over to the government for the money.
[03:30]
Daniel Brulis
That's a very valid assumption. Yes, but for the sense of purpose and the mission, absolutely.
[03:35]
Jim Love
But you've held some pretty, pretty good positions here. You, you had a top secret security clearance at one point. So you understand when we're going to be talking about protection of data, you've been thoroughly trained in that. I don't think people really realize how much goes into getting a top secret security clearance. You're obviously told not to use commercial apps on your phone, but we won't go there. But what's the process for getting that for a normal human being?
[04:01]
Daniel Brulis
Sure. Try to think of somebody that could validate where you lived 10 years ago from your life. And then by that times 15, there's so much that they dig back into both previous. Every employee you've talked to, every boss, lots of different facets that they dig deep into to figure out exactly who you are and whether or not you're trustworthy with the government secrets.
[04:21]
Jim Love
Yeah. And I presume you get the lecture on how to treat things, the strict rules. Can you remember any of that when and hearing that for the first time?
[04:31]
Daniel Brulis
Absolutely. So classified information never leaves where you're viewing it. You don't disseminate that. I can tell you that there's different protocols. We generally classify traffic lights for which red, yellow and green to indicate who this is shareable to. And furthermore, the one thing that is drilled into your head is that government systems are protected. The data is not to be exposed to people that are unauthorized to view it. That's like the number one thing that's drilled into your head Time and time again.
[04:59]
Jim Love
Yeah. And there's that principle of least disclosure. Even if it's not particularly written down. It's. You have to ask yourself, does this person have a need to know this information? So it's not just rules, there are principles that you have to follow.
[05:14]
Daniel Brulis
Absolutely.
[05:15]
Jim Love
So take this. You're a normal guy. If you've taken this job, you like, obviously liked working there. I could read that even into the comments that you make. You're having a good time and all of a sudden there was a call that said you need a bodies in chairs meeting. Can you describe what that was, what that call was like?
[05:32]
Daniel Brulis
Sure. I was surprised actually had we had not gone fully back into office yet. We were still partially work remote. So that call was unusual but also exciting. At first, myself, my coworkers, we were actually pretty excited to meet Doge, see what they were if they met their technical chops and if they could come in and we could work with him. I actually got there early. I remember the next Monday which the drive is pretty rare event for me. So I got in there with 20 minutes to spare. It was pretty excited come that Monday.
[06:03]
Jim Love
So you, you get into work early. You're sitting there in the conference room. The. Could you see the black limo pull up? What. How did you know that was.
[06:10]
Daniel Brulis
Yeah, so I'd actually gone outside. It was about 15, 20 minutes after start a day. And so I've been there for about an hour now. I went outside with one of my coworkers and we're looking at the outside and see it in the peripherals and obviously the lights and the make a big draw attention. But it was an SUV with police escorts front, back, and it pulled into the parking garage. And I can honestly say that out of every. There wasn't a single other time I've seen that while working with that building or anywhere near the building. So that was unusual. We both commented and said, oh hey, I bet that's them.
[06:43]
Jim Love
So you see this limo pull in, they get up and into the building and you're having a meeting and what was announced to you.
[06:51]
Daniel Brulis
So the announcements weren't to official channels. They were your boss comes in or your coworker comes in and they close the door to your office and they tell you, oh hey, I just such. Such. There wasn't any official email or any kind of like official memo that was sent out. But the understanding was that we were going to be expecting them to come up and just talk to us, understand where jobs were and any kind of system access that they needed. We were told to grant them without question.
[07:17]
Jim Love
So there was no official presentation and they didn't come in and present to you in a conference room or anything like that? Just. You were just told they'll be by your desk to ask you what you know, what you're doing. And all that sort of pretty standard stuff, actually, right?
[07:30]
Daniel Brulis
Yeah, so far it was pretty standard. The only thing that really raised a red flag off the bat is I talked to my CISO later in the afternoon that day and he confided to me that he had been instructed. He. Sorry. He had suggested a streamlined process for them, which is to log their accounts in ServiceNow and just create a ticket to log. The access that they're gonna be given and the accounts that are created versus our normal SOP of going through the user creation process. However, Hapin shot down and told instead to not make any log or record of their accounts at all or what permissions are given. And that was the first major something's wrong that went off in my head and him as well.
[08:11]
Jim Love
Yeah, that's. That's a pretty creepy feeling. In a world where transparency is supposed to be our big thing and following the rules that we have for security, for somebody to come in and say, keep this off the books, what did you. What went on inside your mind when you heard that?
[08:32]
Daniel Brulis
So I definitely. I was alarmed. That was my big something's wrong here, guys. Something's fishy. Something is not aligned with benevolent intention. So at that point I just started listening for anything else, started looking around. It wasn't until a few days actually, but I started noticing some things that also didn't add up and added to that overall fear, those indicators and those were what.
[08:59]
Jim Love
Can you describe that to me? What was your first clue that things were going wrong?
[09:03]
Daniel Brulis
There was a large spike in outgoing data. And when I say large, we're talking magnitude of 3 or 400. It's pretty flat baseline on a metrics as far as data output from this Ethernet adapter. And then just this huge spike and there wasn't anything that correlated.
[09:21]
Jim Love
I saw the chart on your disclosure document and you'd included that in it. If the audience wants to picture it, it's like picture the bottom of a chart with basically a flat line almost hugging the edge of the bottom and a spike that comes up and takes over the whole page. This is what you saw. Any security professional should be looking at going, what gives? And so that's what you saw. What did you do about it?
[09:46]
Daniel Brulis
So immediately, I'm very much A pragmatist and a realist. So I started looking. Is there any corresponding inbound data? Maybe it was some back hatching of some system. Nothing. So I said, okay, are there any other systems that were high utilization during that time? And I found the database. The next database was the only other resource. And I said, okay, what time is it? Maybe it was just people moving data, copying over, some DBA doing a something was at 3am to 4am so as I looked for further answers, it became more and more evident that it wasn't something benign.
[10:19]
Jim Love
And is that when you started first checking with the development team, see if there's something there? You went around, checked to see if anybody could have done this?
[10:26]
Daniel Brulis
Throughout this process, like I mentioned, the biggest thing, my goal was to try to figure out what exactly happened that had a logical explanation. And so I went to both the security team, the network team and the developers. And actually the head of development, he disseminated down through his whole team just to make sure nobody, no contractors, no third party, nobody was doing any work during that time. When it came back, that was the case.
[10:51]
Jim Love
Networking was your next stop? Yep. And you checked there?
[10:53]
Daniel Brulis
Yeah.
[10:54]
Jim Love
Nothing happened.
[10:55]
Daniel Brulis
We have like packet sniffers, we have egress that normally would have picked up and at least told us what the data was, but when we went to check those, they were in an off state.
[11:05]
Jim Love
So somebody had turned your packet sniffers off.
[11:09]
Daniel Brulis
The network Watcher and Azure was in a box.
[11:14]
Jim Love
This has got to start to creep you out. This is starting to sound like a spy novel or the chasing of a hacker. That's very clever. Spike in data, things are turned off. What were the discussions like? And I don't want to even imply that I would get you to give, get anybody else in trouble or say that somebody hadn't done something. So let's leave that off the table because I don't consent. I know you're not that type of guy, but to the degree you can tell me, can you talk to me about what the discussions were like internally? And one of the reasons is we've got a big security audience, they're going to have these types of discussions when they see these types of things. What did you do and what did you discuss with people and what was their reaction?
[11:57]
Daniel Brulis
So I went up my chain of command, that's what you're trained to do, is that you escalate through your chain of command. And so I can honestly say without recognizing reservation that my direct chain of command, so be my ACIO infrastructure, the ACO of Security and the CIO all took this very seriously. They we started enacting and building up our internal threat monitoring for internal threat actors tooling. We spent more money on better security auditing and logging, ethereal logging. Some of these things that we hadn't necessarily had the budget for because of what policy constraints hadn't been. We found they made ways to make this work now which was to their credit very great. The problem is that it's just not a retroactive thing. So we didn't have a lot of tools to go back and say what how could we apply this to this date past. And so another one of the things that I knew from why this looked the big picture, knew what to look for is I've done like red blue war games exercises at clients in the past. And so I knew what an attacker mindset would look like or playbook I should say. And so I looked at some of these other reposts that have been downloaded, some of the other tools I knew to look for. And once I found those it was clear to me that's exactly what this was. This was an attempt to covertly exfiltrate data just like you'd see in the private sector.
[13:13]
Jim Love
And this is, we're trained for this. But this is every security person's nightmare is you've got somebody attacking, you don't know who or from where. When did you start to notice other things happening?
[13:29]
Daniel Brulis
It was over the course of a few weeks that I, you know because I still had my normal job duties too but I was looking at metrics in different review trying to I remember look at one point for budgetary savings on its storage account I noticed another anomaly. So it was during of course normal events for the next two weeks a bunch of these pieces started adding up to that picture.
[13:51]
Jim Love
So you're now looking at this, you're doing your regular job. You've got, you've noticed that internal alerting, monitoring systems turned off, multi factor authentication has changed. And what else did you discover.
[14:07]
Daniel Brulis
Besides those? There were some conditional access policies that have been altered some really odd logs around that time. Now that I was able to narrow it down to a certain time window I was able to look for things container being spun up but we're not using containers at all. Was a big another that's probably yeah.
[14:24]
Jim Love
You found a container on the system.
[14:26]
Daniel Brulis
And I found a container being spun up and deleted. Not like a aha.
[14:31]
Jim Love
Yeah so whoever's doing this is being pretty clever. They're. They're deleting everything right after They've used it. They're not leaving anything on the system for you to find.
[14:41]
Daniel Brulis
It looks like a very well scripted execution. Yeah. My guess is because the time and how many activities were executed in small amount of time that this was scripted some way Python, something that was essentially prepackaged and then run, doesn't seem like there's a lot of time for all the different interactions for a human to make the actual clicks.
[15:01]
Jim Love
Wow. So they've done this before. Yeah, this would do. This feels like a hack. The other thing that you noticed that I noticed from your. From going through your documents was that they turned off the blocking of mobile devices so that anybody can get in to your systems.
[15:19]
Daniel Brulis
And it was odd. They disabled like the insecure clients and the iOS, so there's four settings in Azure. They didn't just completely eliminate mobile devices not being able to log in, but they made it so insecure and I think it was iOS, where previously they weren't allowed, are now allowed to log into mobile devices. I still was not able to put together what part of the picture that was, but that wasn't another anomaly that nobody in the office owned up to. I couldn't find any record of the activity logs as making that change. To me it just seemed like it just magically happened.
[15:53]
Jim Love
I don't want to keep coming back to this, but you're talking to people in your office, they're looking at things going we didn't do this. Aren't people starting to freak out by this point?
[16:04]
Daniel Brulis
You have to understand there's a culture of fear that permeates and these people have been working government jobs for 15, 20 years. They are very scared of having their heads on the chopping block and going out to. And that was pretty clear if you looked at what happened with CISA and some of the other agencies, that's exactly what happens if you start looking into this kind of thing. At first, yeah. But then when the kind of everybody put together what happened, what time frame, things got very quiet. Particular from some of the people I'd been working with up until that point.
[16:39]
Jim Love
Even when you noticed that there was an IP in Russia trying to log.
[16:43]
Daniel Brulis
Into your system and would have been successful if not for the condolent access policies that we had to place as a tertiary backup to geo blocking, that this shouldn't have happened. And the only way that it. Again, I shouldn't speculate though what I can say is that there was. There's different levels that one has to trigger before the next gets triggered. As far as a Login attempt authentication. And so they got past the normal where you see a ton of these in normal course of data operations because email addresses are public, you know that you see tons of attempts, but you don't see successful authentication blocked by the cap, especially out of the country. Unless the only other time we'd see it is if somebody, one of the lawyers, travels internationally and forgets that they have their computer and they try to log in, then that kind of alert would flag. But for it to happen at three, whatever the timing was. So shortly after these new accounts, system managed identity accounts, not just. So there was the regular account and then there's a system managed identity account. The regular account is the interactive login is the one that we saw pop up there. So it wasn't like it was just a programmatic key that was generated and stored somewhere insecurely. This was, this was an account's password.
[17:55]
Jim Love
Could you tell what whose account and password this was?
[17:59]
Daniel Brulis
So I can tell you that there were two new user accounts I saw. One was Jamaica Whitehall and the other was Chicago White Sox. Those are the first and last names of the two user accounts that were created. So I don't know the actual. Those don't seem like real names to me. But those were at the same time, two accounts that were created during that time frame.
[18:24]
Jim Love
But these are your notes say that these logins occurred within 15 minutes of accounts being created by dozens.
[18:30]
Daniel Brulis
So these are. Right. This was the second time they came back in. So the first time I didn't actually know. I just saw the records of the actual accounts starting to take activity. I didn't actually see the creation. I'm guessing that's because I only had Global Admin, not tenant level, where they were created. But I was able to see the actions by what's in Microsoft, what's called a SID or Security Identifier. It's unique to each resource, and so each resource has a unique resource id. And that was what was referenced. So it wasn't necessarily the account at that point as much as just the SID that I saw in the activity logs and that was correlated through that same SID to that alert in this in Defender.
[19:09]
Jim Love
So by this point it's obvious you have to report this to someone.
[19:14]
Daniel Brulis
Yes, absolutely. And my ciso, who was very proactive about this, saw the same thing I did, looked at my results and said, okay, yeah, we have to report this to you, sir. There's a procedure and policy that follows. So we started putting that together towards the end of a week, and everything seemed to be going good, the right people were going to come in and take a look and that way went home for the weekend.
[19:34]
Jim Love
And the reporting line would be to cisa. There's a group at CISA you report this to?
[19:38]
Daniel Brulis
Yeah, there it. It might have a different name now, but it used to be called the US Cert Team which was like your SEAL team sic for. For it incidents within the government. If something happens, there's a breach, they come in, they help you contain and they help you triage. So they're inter agency but they are part of sis, I believe.
[19:56]
Jim Love
Yeah. So you're going to report to them. It seems like a fairly thing, something you're trained to do. Mitre it calls into it the frameworks, all of the stuff you put the report together. I presume everybody worked on this report. When did you find out that the report wasn't to go anywhere?
[20:12]
Daniel Brulis
Just a few days later, whenever it should have already been submitted. And I think I was following up on a status. It was relayed to me that it came down that we would. That was no longer in the agency's best interest to report that. There was talk of not having our heads on the chopping block. There was talk of the making it disappear is the right thing. I was upset so I went to my CIO and wanted some answers there and I was surprised, but it went. They came in from higher so there's. I can't tell you where exactly it came in from, but I know that he didn't make the call. I mean that's about all I know at that point. But I was very disheartened. A lot of us were just. Were hopeful that we would at least be able to trigger the right triage and reporting without being interfered. However, it turns out that nothing was going to happen at all. We were just to ignore it and keep our noses down.
[21:13]
Jim Love
Wow. So you've got people logging into your system. Spikes of data exfiltrated, the traces of that being removed, logs affected. And I have to know how could anybody explain to you that this wasn't to be reported? This is and I'm sorry, I don't mean to be obtuse about this, but this is pretty black and white at this point. Yeah, people have been prosecuted for not reporting information like this.
[21:44]
Daniel Brulis
And to be honest, that should have been in the forefront of my mind. That should have been my motivating factor. I too didn't want my coworkers to lose their jobs unnecessarily. But when you see things in the. You Know what system jobs are in a database. Right. They run periodically on time. When you see chunks of time with those missing, as well as any other activity during those hours, it's obvious somebody manually deleted. That wasn't just a system glitch because the jobs just didn't log their activity for a little while there. Absolutely. To not report that is fundamentally flawed with everything that we were trained to do and everything we are trying to do in the government. So it wasn't just myself. Other people are up in arms too. We just. We didn't know what recourse because if they were willing to fire the CIO and just stick somebody else in there, everybody else under him is dependable as well. So we started coming up with alternate solutions as to how to get this information in front of the right people, even though we're not allowed to officially use those channels.
[22:40]
Jim Love
And we've been through the fact that the system was. You also traced it back to confidential information was exfiltrated from your systems.
[22:51]
Daniel Brulis
Yes.
[22:51]
Jim Love
And did that get raised in the case? And I'm just so surprised that someone wouldn't say. There's just. I'm mystified. And I've had a long corporate career. I've had those times that people say to me, jim, you're a really honest guy, but sometimes you can be too honest. I've had that coaching talk, but this one's pretty cut and dried and. Yeah, it's gotta be. It's eating at you. What. What did you decide to do?
[23:16]
Daniel Brulis
I just. I have to be really careful because my one goal in this is not throw anybody else under the bus, so.
[23:22]
Jim Love
Exactly. And we don't want to do that.
[23:24]
Daniel Brulis
So I have to take ownership for some stuff that even realistically may not actually be my. My decision or my choice after we.
[23:31]
Jim Love
You could just say decisions were made.
[23:33]
Daniel Brulis
Yeah.
[23:34]
Jim Love
We don't have to be fair then.
[23:35]
Daniel Brulis
Yeah, decisions were made against a few of our voices as loud as we could, screaming into the void, I think, as someone put it. But we did. Eventually I did find the congressional reporting route and I looked up my laws and statutes and what I'm supposed to do when I do run into this. Now, the IG was also involved at my agency and the Office of Special Counsel as well. Those are the standard routes you have to follow. If. But there is a method. There is a way for you to report it. So even if you feel like somebody's not taking you seriously, luckily, those avenues are what actually proved to be fruitful. Somebody there listened and said, no. This is not okay.
[24:15]
Jim Love
How did you find those? Did you just Google it? How do you find out who to go to?
[24:20]
Daniel Brulis
So actually Google was a big part of it too. Also there's some resources as a fed that I have back when I was doing my TSSCI about have a report in the ic and so along that same train of thought I just started looking up how to do whistleblowing, how to correctly whistleblow with legal protection. And that led me one thing to another to where we are today.
[24:42]
Jim Love
Did you talk to a lawyer through this?
[24:45]
Daniel Brulis
Yeah, that's where I ended up eventually. And he helped me prepare the disclosure and everything.
[24:50]
Jim Love
And how do you find a lawyer who deals with this sort of stuff?
[24:53]
Daniel Brulis
There is very few, but luckily one of the best is Andrew Pukeiho to has whistleblower Aiden. He's does exactly this and only this because he has an ex whistleblower himself. And so he's been through it. He's seen what, what can happen without protection. He actually helped change the laws around classified disclosures and how that agency is more the ige there is more independent now. He's been a big player in the space for his whole career and this is the guy you want to go to. So there are a few, there's a handful of them out there but once you find the right person, they know exactly right route to go and how to protect yourself while you're disclosing.
[25:30]
Jim Love
So what was your first meeting like with Andrew was his name?
[25:34]
Daniel Brulis
I think, I think I remember later recalling that I felt like I walked in there with a tinfoil hat on and. And to his credit, he took me seriously the whole time. But just hearing it, reading it out loud, just going through what I thought might have happened was. It was jarring even for me. But luckily he very professional and he listened to me the whole time and took me very seriously. Helped me flesh out some more questions and things that I need to figure out before putting that disclosure together.
[26:02]
Jim Love
Yeah. And yeah, because it's as much as we say this looks cut and dried, this is your career's on the line. Other people's careers are on the line. There's yeah, this is serious stuff. We're talking about whether you know who's legally liable and it's easy to start to doubt yourself. Did you doubt yourself through this Many times.
[26:23]
Daniel Brulis
That's why I tried so hard to come up with alternate viable solutions that could have explained some of this because that would be a win for me. That would be a best case scenario. I don't jeopardize future job prospects. I don't have any kind of animosity towards my employer or from my employer. I get to figure out, oh, this was this. We get to beef up our security. That's a win. Win. I probably tried a little too hard to just come up with some really crazy scenarios of how this could have. And I eventually I just ran out of crazy pills. I had to face reality and say, this is what it is, and put it together.
[26:59]
Jim Love
Did morally, yeah, you're a normal guy. You probably need a paycheck like everybody else does all this sort of stuff. And you're looking at this. Did you have to resign? Did you or did. What were you facing?
[27:15]
Daniel Brulis
That's a bit complicated because the agency did not fire me, which was pleasant. However, the day after the disclosure, then DOGE announced that they were formally coming into the agency and they were going to staff two people on the same floor, like, basically right outside my office for two days a week. And as part of this, and I don't know who it was, I can't. The FBI can, but the law enforcement's looking into it. I received a letter on my door before I even disclosed to Congress, my door at my house, that I've only been there like three months. Came over work one day. Needless to say, wasn't a very conducive environment after that to go back to, to try to work in the same office as the people that I've accused of at least part of possibly data exfiltration. So there was a lot of that aspect to it. I didn't want to put anybody else's job or I didn't want to put anyone else in an awkward position. So I did. I chose to resign at that point.
[28:16]
Jim Love
Wow. And that's. Yeah, that's got to be tough. Now, where does this go from here? Did you actually appear before anybody, or is this just a document that gets sent to Congress?
[28:27]
Daniel Brulis
No, I've actually spoken to a couple different committees and offices, help them understand the right questions to ask for, to explore this farther and figure out the truth. And I still have some ongoing still work that I'm doing in that aspect too. But hopefully there'll be at least enough resources now to get to some semblance of the truth before it's all. At this point, a lot of the data can't be really trusted because as soon as DOGE came in, they removed administrative rights from everyone else in the company except themselves. That includes, like, Global Admin, includes Security Admin, user Administrator. So we can even view like access logs or activity logs to see what their accounts are doing right now before I resign. It brings into question the validity of any kind of data that comes out from them directly. And so the goal now is to get hopefully some third party or additional logging that comes records that come from outside the agency. Wait, when they review that, an objective.
[29:30]
Jim Love
Outside source to actually review that.
[29:33]
Daniel Brulis
That would be ideal. Yeah.
[29:36]
Jim Love
And just for people, because we only have the exposure to this as theater where the person sits behind the desk and there's people yelling at you and telling you're no good and all that sort of stuff. What was the real experience like in meeting with Congress?
[29:50]
Daniel Brulis
They're actually really receptive and a little bit more involved than I would have thought at first. Who I thought it would be handed off to someone who just. But it was very action oriented. I think A day or two later they wrote a 50 or something person letter to demand answers to the NLRB about this. With over 50 signatures, they moved very quickly. I talked to other experts in the industry too, at other agencies and they consulted some for data validation. So they did their due diligence and pretty quickly too. I was rather impressed at the speed of it all, how serious they took it.
[30:24]
Jim Love
And where does this go from here? You'll have more periods.
[30:28]
Daniel Brulis
I don't know. My part in this hopefully is over, but this is over now to the bigger authority's hands that hopefully they can do what action they deem necessary or prudent.
[30:40]
Jim Love
Wow. So looking back over it, I have to ask you, would you do this again?
[30:49]
Daniel Brulis
I can say I never wanted to do it in the first place. I was in a position where I saw something and I felt morally like I had. I wasn't given another option. I didn't want this in the first place. It's. This has been a harrowing experience. That being said, would I do it again? I didn't have a choice in the first place. You know, it's just who I am there. There's a obligation you have when you see something that. That is this. That could be this drastically wrong that you have to tell someone. You can't just let it go by. And so I would. But knowing full well what it would cost me, I still would do it. I still didn't enjoy any of it. And I wouldn't wish it on anybody else.
[31:31]
Jim Love
I bet just to the degree that you can. If there's someone else listening out there who's in a similar situation, what advice would you give them?
[31:42]
Daniel Brulis
Absolutely. I would definitely tell Them that build a support system, document everything, make sure you're meticulous in your communications and your record keeping, and then get somebody that can offer you some kind of protection or guidance to do this. It really is almost impossible to do it alone, and you really do need that support system, and you do need to actually have that mental health care lined up ahead of time to take care of yourself throughout the whole process. There's a lot more to it than just submitting a piece of paper. I found out. And so I would suggest to anybody out there that's thinking about it or in the same situation or seeing anything that could be unusual, anything that's keeping up at night, say something, go through the proper channels and find protection both for yourself and for your legal stakes in this as well. Well.
[32:32]
Jim Love
I wish you the best, my friend. I hope your next job is really easygoing and the most you have to do is talk about complex passwords.
[32:40]
Daniel Brulis
Yeah. Yes. I have high hopes and I appreciate you for having me, Jim. This is a really important message to get out so that people can know, and I thank you for doing that.
[32:48]
Jim Love
This is absolutely important and I'll just. I'll thank you for this. I'm Canadian, obviously, but we have a huge American audience. The bulk of our audience is American. You Americans have a wonderful phrase, and that's the one thing I'd like us to adopt up here in Canada. You say, thank you for your service. And I'd like to say that to you, Daniel. Thank you for your service to your country and to your profession. And that's our show. I hope you found this as incredible as I did. Love to hear from you. I'm pretty safe across the border, so if anybody out there does want to have a chat or pass on any information, I've spent 40 years in the industry getting a reputation for being confidential and. And being supportive. You can reach me at editorialech, newsday, ca, or find me on LinkedIn like our listeners do. And like I said, if you're one of our listeners, we'd love to hear your comments and opinions on this. Same deal, editorialech, newsday CA, LinkedIn, or if you're watching on YouTube and what you say can be public, just drop a note under the video. And I'm gonna be thinking about this for a while. And I'll be back next week with my co host, David Shipley, bringing you the best in cybersecurity news. I'm your host, Jim Love. Thanks for listening.