A cyber vulnerability known to have existed as far back as October 2015 has led to a data breach at the General Services Administration’s 18F digital services organization, the GSA’s inspector general announced today.
In a Management Alert Report dated May 12, the GSA IG said more than 100 Google drives used by 18F personnel were accessible to users inside and outside of GSA during a five-month period, exposing personal identifiable information and proprietary contractor information. IG investigators became aware of the vulnerability and the data breach during their ongoing investigation of 18F financial management.
The vulnerability stemmed from 18F’s use of the Slack instant messaging system in conjunction with the OAuth 2.0 authentication and authorization process.
“On March 4, 2016, an 18F supervisor discovered that their use of OAuth 2.0 to authorize access between 18F’s Slack account and GSA Google Drive permitted full access to over 100 GSA Google Drives, resulting in a data breach,” the report states. “On March 9, 2016, five days after discovering the breach, the 18F supervisor notified the GSA Senior Agency Information Security Officer of this vulnerability.”
The incident raises other serious questions for senior leaders at 18F. According to the IG report, 18F’s use of both OAuth 2.0 and Slack is not in compliance with GSA’s Information Technology Standards Profile or GSA Order CIO P 2160.1E. “The order allows information technologies to be approved for use in the GSA IT environment if they comply with GSA’s security, legal, and accessibility requirements. Currently, neither OAuth 2.0 nor Slack are approved for use in the GSA IT standards profile,” the IG report states.
18F supervisors are also coming under scrutiny for delaying the reporting of the vulnerability. “By delaying the reporting of the data breach by five days, GSA 18F staff failed to comply with the GSA Information Breach Notification Policy,” the IG report states. “The notification policy requires that all incidents involving a known or suspected breach of personally identifiable information must be reported to the GSA Office of the Chief Information Security Officer within one hour of discovering the incident.”
The IG recommended GSA cease using Slack and OAuth 2.0 and ensure they comply with security incident reporting policies. 18F has 10 days to respond to those recommendations.