IG Uncovers Data Breach at 18F

A cyber vulnerability known to have existed as far back as October 2015 has led to a data breach at the General Services Administration’s 18F digital services organization, the GSA’s inspector general announced today.

In a Management Alert Report dated May 12, the GSA IG said more than 100 Google drives used by 18F personnel were accessible to users inside and outside of GSA during a five-month period, exposing personal identifiable information and proprietary contractor information. IG investigators became aware of the vulnerability and the data breach during their ongoing investigation of 18F financial management.

The vulnerability stemmed from 18F’s use of the Slack instant messaging system in conjunction with the OAuth 2.0 authentication and authorization process.

“On March 4, 2016, an 18F supervisor discovered that their use of OAuth 2.0 to authorize access between 18F’s Slack account and GSA Google Drive permitted full access to over 100 GSA Google Drives, resulting in a data breach,” the report states. “On March 9, 2016, five days after discovering the breach, the 18F supervisor notified the GSA Senior Agency Information Security Officer of this vulnerability.”

The incident raises other serious questions for senior leaders at 18F. According to the IG report, 18F’s use of both OAuth 2.0 and Slack is not in compliance with GSA’s Information Technology Standards Profile or GSA Order CIO P 2160.1E. “The order allows information technologies to be approved for use in the GSA IT environment if they comply with GSA’s security, legal, and accessibility requirements. Currently, neither OAuth 2.0 nor Slack are approved for use in the GSA IT standards profile,” the IG report states.

18F supervisors are also coming under scrutiny for delaying the reporting of the vulnerability. “By delaying the reporting of the data breach by five days, GSA 18F staff failed to comply with the GSA Information Breach Notification Policy,” the IG report states. “The notification policy requires that all incidents involving a known or suspected breach of personally identifiable information must be reported to the GSA Office of the Chief Information Security Officer within one hour of discovering the incident.”

The IG recommended GSA cease using Slack and OAuth 2.0 and ensure they comply with security incident reporting policies. 18F has 10 days to respond to those recommendations.

  1. Anonymous | - Reply
    So, these are the people the Administration wants to handle technology transformation?
  2. Anonymous | - Reply
    The 18F blog post from 5/10/16 - Building a Modern Shared Authentication Platform is quite humorous given this recent turn of events. Physician heal thyself? https://18f.gsa.gov/2016/05/10/building-a-modern-shared-authentication-platform/ "In addition to making logging in to government sites easier, the public will also benefit from a more streamlined and efficient interaction with the federal government in general." - Check "This system is designed to be your one account for government, giving you control over how you want to interact with agencies, and breaking down critical barriers between participating agencies, if you so choose." - Check Preserving privacy by mitigating privacy risks and adhering to all federal privacy guidelines. - Needs Improvement...
  3. Anonymous | - Reply
    How is it that this organization is tasked with anything? What is its authority? What is its funding? What compliance obligations attach to it? Why did the government set-up this organization in the first place?
    1. Anonymous | - Reply
      The people saying that it is overblown probably work for GSA, maybe even within 18F. Data confidentiality also applies to internal employees who may gain access without authorization, glitch or no glitch. The 18F folks are supposed to be the experts in IT and cyber, and yet they are doing just what everyone else does: installing their favorite applications without any sort of security testing process applied, or even checking against policies. Obama's presidency will be remembered for at least one thing, and that's the blatant disregard for established law, policy, and procedures.
  4. Anonymous | - Reply
    What a fiasco. The Air Force is scrounging for parts to keep our jets flying while money is siphoned off to waste on this nonsense.
  5. Anonymous | - Reply
    This is a disappointment given the mission of 18F. I get that they're supposed to be innovative, but they're also supposed to work within the constraints of FISMA. On a larger scale, this is the same agency that oversees FedRAMP, the framework that is supposed to be providing assurances to the federal government that it is ok for agencies to use commercial cloud services. This incident certainly lends credence to the assertion that GSA is playing fast-and-loose with the security rules in achieving so-called innovation. When are these so-called geniuses going to learn that these security controls are requirements, not just good ideas?!?
  6. Anonymous | - Reply
    This is overblown: https://18f.gsa.gov/2016/05/13/how-18f-handles-information-security-and-third-party-applications/
  7. Anonymous | - Reply
    Agreed, overblown.
    1. Anonymous | - Reply
      Glad to see 18F reads Meritalk.
  8. Anonymous | - Reply
    So, in addition to losing money, it risks losing data. Nice. BTW, nice to see the bizarre statement issued after the event. Obviously, GSA's lawyers are asleep.

Leave a Reply