House Republicans unveiled on Wednesday Congress’ latest effort to tackle comprehensive digital privacy legislation for Americans.

The Secure Data Act would allow consumers to opt out of data collection for individual businesses for the purposes of targeted advertising, selling to third parties or for use in automated decisionmaking.

It would also require companies to inform consumers when their personal data is being collected or used, provide them with a portable version of that data, and give consent rights to parents over the data collection of teenagers.

“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” said Brett Guthrie, R-Ky., Chair of the House Energy and Commerce Committee and Rep. John Joyce, R-Pa., who led a working charged with developing the draft legislation, in a statement.

The draft bill also imposes new requirements on businesses and other organizations to limit their collection of personal consumer data to what is “adequate, relevant and reasonably necessary” and only for purposes that are disclosed to consumers in advance. They must also adopt new safeguards for customers’ personal data and disclose any third parties they share it or sell it to, including adversarial foreign governments like Russia and China.

The Federal Trade Commission would be given greater oversight of data brokers that buy, collect, repackage and sell personal data to the highest bidder. The draft bill requires data brokers to register with the FTC, comply with data minimization, disclosure and data security mandates, and creates a new national data broker registry.

Cobun Zwiefel-Keegan, managing director at the International Association of Privacy Professionals, told CyberScoop that based on the released draft and conversations on the Hill, the bill most resembles privacy laws passed by Virginia or Kentucky (the home state of Guthrie) in recent years, with an emphasis on providing notice and opt-out rights to individual consumers and often tying business compliance to “reasonable” standards of evidence that they acted to protect consumer data.  

At the same time, Zwiefel-Keegan said it could potentially further empower the Federal Trade Commission and state Attorneys General to investigate and sanction bad actors.

The bill is the product of more than 16 months of internal discussion and consensus-building within the GOP majority. While drafting it, a working group led by Rep. John Joyce (R-Pa.) and other House Republicans solicited feedback from 170 organizations and received more than 250 responses from the public to a Request for Information released last year.

While they have worked to achieve consensus within their own caucus, House Republicans did not involve Democratic members in the working group or drafting process, something observers said could make it difficult to attract bipartisan support.

Zwiefel-Keegan said that while the Republican drafters of the bill “would challenge Democrats to explain why they can’t support the type of bill that has been passed in blue states.”

But he also noted that there are “plenty of ways that people will point to how it’s weaker than a lot of blue state privacy laws,” including federal preemption of more robust state privacy laws like those in California, the lack of a private right of action allowing individuals to sue companies directly and a mandatory 45-day “curing” period that allows companies in violation of the law to come into compliance and avoid formal sanctions.  

“I think the privacy working group and the leadership of the committee thinks there’s a pretty strong chance of passing it out of committee.” After that the bill’s chances are likely dependent on other factors, like getting some Democrats on board and working with “red state representatives who may not like their own laws being preempted.”

Shortly after the draft bill was released, Rep. Frank Pallone, D-N.J., ranking member on the House Energy and Commerce Committee, said he was opposed and accused House Republicans of having “lost the plot” on passing national privacy legislation.

“This Republican privacy bill protects corporations and their bottom line, not people’s privacy,” Pallone said in a statement. “We should be protecting the little guy with a bill that empowers consumers, not one that preempts consumer protections at the behest of Big Tech.”

Eric Null, director of the privacy and data project at the Center for Democracy and Technology, indicated that the Secure Data Act falls short, calling it full of “easily exploitable loopholes” that let companies “hide behind cookie banners and lengthy terms of service rather than establishing meaningful privacy protections.”

Null was also critical of the bill’s lack of substance around AI, saying that Large Language Models pose significant privacy challenges today that will only worsen over time.

“Any federal privacy law discussed in 2026 should be future-proofed by protecting against growing AI-related privacy harms, namely by limiting data collection for AI training and preventing use of the technology to discriminate against protected classes, but this bill does neither sufficiently,” he said.

The American Civil Liberties Union also came out against the bill, with senior staff attorney Cody Venzke saying the GOP-led bill “places the onus on regular people” to sift through complex privacy policies created by businesses to request opt out or deletion of their data.

“And it leaves us without real recourse – even blocking us from going to court – if our requests go unanswered,” said Venzke in a statement.

In their joint statement, Guthrie and Joyce said they “look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”

The post House Republicans roll out national privacy bill appeared first on CyberScoop.

Opexus admits it missed key red flags when it hired twins Muneeb and Sohaib Akhter, as it failed to learn about crimes the brothers pleaded guilty to in 2015, including wire fraud and conspiring to hack into the State Department — offenses committed while they were contractors for federal agencies. The federal government contractor nonetheless maintains it conducted seven-year background checks before hiring the brothers in 2023 and 2024.

Opexus fired them in February, minutes before they allegedly stole and destroyed government data in retaliation. The background checks were “consistent with prevailing government and industry standards with additional requirements for more sensitive work. That said, we fully acknowledge that additional diligence should have been applied,” a spokesperson for Opexus told CyberScoop. 

Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Dec. 3 for allegedly committing a series of insider attack crimes during a weeklong window in February that ultimately compromised data from multiple federal agencies, including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission. 

Opexus said it decided to terminate the twins’ employment upon learning of their prior criminal history, but it did not explain how it became aware of their previous crimes nor what prompted a deeper look into their past. The brothers’ previous crimes were widely reported at the time, including details that are readily available via search engine queries on their respective names.

The Washington-based company, which provides services and hosts data for more than 45 federal agencies, admits it made multiple mistakes in the hiring and termination of Muneeb and Sohaib Akhter.

“As with the onboarding, the terminations were not handled in an appropriate manner,” the company spokesperson said. 

“While these individuals passed background checks at the time, this incident made clear that our screening protocols needed to be even more robust,” the spokesperson added. “We have since enhanced our vetting processes and implemented additional safeguards designed to strengthen the protection of the systems and information we manage.”

Muneeb Akhter allegedly accessed Opexus’ computer network five minutes after he was fired. Within an hour, he allegedly deleted approximately 96 databases storing U.S. government information hosted by Opexus, including sensitive investigative files and records related to Freedom of Information Act matters, prosecutors said in an indictment. 

Muneeb Akhter also that evening allegedly deleted a Homeland Security production database, copied more than 1,800 files belonging to EEOC and stole copies of IRS records including personally identifiable information on at least 450 people.

Opexus said it later addressed errors it made, which failed to ensure the twins could no longer access company computers and systems under its care immediately upon their termination. The spokesperson said the company took “appropriate corrective actions and reinforced training across the human resources function to ensure strict adherence to our standard operating procedures going forward.”

The company said it took other measures in response to these insider attacks that are designed to prevent similar outcomes.

“The individuals responsible for hiring the twins are no longer employed by Opexus, and we have since strengthened our screening protocols across the organization,” the spokesperson said. “These enhancements include expanding our standard background check to 10 years, along with additional safeguards that are now embedded into our standard hiring process.”

Opexus also said it supported customers impacted by the internal breach by helping them restore data and providing resources and subject matter expertise for their internal reviews. “The security of our customers’ information is our No. 1 priority, and we remain committed to continuous improvement in our hiring, compliance and internal controls,” the spokesperson said. 

The company said it’s grateful for law enforcement’s actions on this matter, adding that it appreciates that Muneeb and Sohaib Akhter are being held accountable for their alleged crimes. 

Sohaib Akhter faces up to six years in prison for password trafficking and conspiracy to commit computer fraud and destroy records. 

Muneeb Akhter is charged with conspiracy to commit computer fraud and destroy records, two counts of computer fraud, theft of U.S. government records and two counts of aggravated identity theft. He faces a mandatory minimum penalty of four years in prison for identity theft and up to 45 years in prison for the other charges.

The post Opexus claims background checks missed red flags on twins accused of insider breach appeared first on CyberScoop.

Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Wednesday for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year, the Justice Department said.

Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission.

Authorities did not name the federal government contractor, which provides services and hosts data for more than 45 federal agencies, but the company was previously identified as Washington-based Opexus in a Bloomberg report about the insider attack earlier this year. Opexus did not immediately respond to a request for comment.

The brothers are no strangers to law enforcement, the hacking community and government contract work.  They previously pleaded guilty in 2015 to wire fraud and conspiring to hack into the State Department and other crimes while they were employed as contractors for federal agencies. Muneeb Akhter was sentenced to 39 months in prison and Sohaib Akhter was sentenced to 24 months in prison at that time.

An investigation aided by more than 20 federal agencies and specialized units alleges the brothers were back at it a decade later, committing cybercrime with privileged access and technical expertise gained from their employment at a government contractor.

“These defendants abused their positions as federal contractors to attack government databases and steal sensitive government information,” Matthew R. Galeotti, acting assistant attorney general with the Justice Department’s Criminal Division, said in a statement. “Their actions jeopardized the security of government systems and disrupted agencies’ ability to serve the American people.”

Muneeb Akhter is accused of deleting approximately 96 databases storing U.S. government information hosted by Opexus, including sensitive investigative files and records related to Freedom of Information Act matters, prosecutors said in an indictment. 

Muneeb Akhter also allegedly deleted a Homeland Security production database, copied more than 1,800 files belonging to EEOC and stole copies of IRS records including personally identifiable information on at least 450 people. 

Authorities also accused Muneeb Akhter of using an artificial intelligence tool for assistance throughout his alleged conspiracy, querying the tool for advice on how to clear system logs from SQL servers after deleting databases and how to clear all event and application logs from Microsoft Windows Server 2012. 

Prosecutors in the U.S. District Court for the Eastern District of Virginia charged Muneeb Akhter with conspiracy to commit computer fraud and destroy records, two counts of computer fraud, theft of U.S. government records and two counts of aggravated identity theft. He faces a mandatory minimum penalty of four years in prison for identity theft and up to 45 years in prison for the other charges. 

Sohaib Akhter is accused of trafficking in a password that could access an Opexus computer used by EEOC. He faces up to six years in prison for password trafficking and conspiracy to commit computer fraud and destroy records. 

The brothers allegedly cleaned their residence in anticipation of a law enforcement raid and wiped their employer-owned computers by reinstalling the operating system.

“Federal contractors who abuse their positions will be held accountable for their actions,” Joseph V. Cuffari, inspector general at the Department of Homeland Security, said in a statement. “The actions of individuals like Muneeb and Sohaib Akhter are threats to our national security.”

You can read the full indictment below.

The post Twins with hacking history charged in insider data breach affecting multiple federal agencies appeared first on CyberScoop.