Unsecured US House Database Exposes Sensitive Details of Over 450 Top-Secret Clearance Holders

Introduction

New research, reviewed by WIRED, reveals that the sensitive personal details of over 450 individuals holding "top secret" US government security clearances were inadvertently exposed online. The exposed data was part of a database associated with the "DomeWatch" platform, operated by the US House of Representatives Democrats and containing information related to congressional job applications and staffing.

Incident Discovery and Response

During a September 30 security scan for unsecured databases, an anonymous ethical researcher identified the exposed cache of data within DomeWatch—a platform hosting congressional event calendars, floor session videostreams, job boards, and a résumé bank. The researcher promptly notified the House of Representatives’ Office of the Chief Administrator, and the database was secured within hours. The initial response from the office was limited to a confirmation: "Thanks for flagging."

The researcher, citing the sensitivity of the findings, requested anonymity. They noted the database contained biographical information, military service records, security clearance statuses, language proficiency, contact details (names, phone numbers, email addresses), and internal identifiers for approximately 7,000 applicants over the past two years.

Data Content and Scope

Notably, the exposed data did not include full résumés but featured details typical of job application processes. Among the 7,000+ entries, approximately 4,200 individuals had documented experience working in Congress, with 6,300 marked as affiliated with the Democratic Party, 17 with the Republican Party, and 250+ as independent or non-partisan.

Crucially, the data included over 450 individuals with "top secret" security clearances, including one entry listing an individual with "intelligence" and "US-China relations" expertise—a red flag for foreign adversaries.

Potential Security Risks

The researcher emphasized that the exposed information posed severe espionage risks, stating: "From the perspective of a foreign adversary, this is a gold mine of who you want to target." Such data could enable reconnaissance efforts, spear-phishing, or social engineering against government and military personnel with access to sensitive information.

Alexander Leslie, senior advisor for government affairs at threat intelligence firm Recorded Future, reinforced these concerns, noting: "Exposed databases enable targeted espionage, fraud, and identity abuse. Military histories and clearance statuses provide adversaries with precise reconnaissance opportunities, including pretexting and account compromise."

Official Response and Investigation

In a statement dated October 22, Joy Lee, spokesperson for House Democratic whip Katherine Clark (who oversees DomeWatch), attributed the incident to an "outside vendor" (an independent consultant managing the platform’s backend). "We immediately alerted the Office of the Chief Administration Officer, and a full investigation has been launched to identify and rectify vulnerabilities," Lee added.

House Democratic offices faced challenges due to government shutdown-related furloughs, with some staff unavailable for comment. The Office of the Chief Administrator did not respond to WIRED’s requests by publication time.

Broader Context and Expert Analysis

The researcher highlighted that DomeWatch’s exposure underscored the prevalence of unsecured databases across the internet, noting they would not have investigated the site without noticing "top-secret" keywords. Leslie referenced the 2015 Office of Personnel Management (OPM) hack—a breach exposing millions of government employee records—as a precedent for long-term national security risks from compromised personnel data.

The researcher clarified: "This was not targeted at any party, but a systemic failure. Exposed databases like this threaten nation-state security."

Conclusion: The incident underscores the urgency of securing internal government systems against unauthorized data exposure, with far-reaching implications for counterintelligence and personnel security.