GSA’s Digital Services Team Exposed 100 Google Drives, Watchdog Finds
The inspector general issues an alert on a vulnerability that had existed since October 2015.
The governmentwide digital services team housed at the General Services Administration, known as 18F, accidently exposed 100 GSA Google Drives to unauthorized users in and out of government, the agency’s inspector general announced on Friday.
In a management alert, the watchdog said that during an ongoing evaluation by its forensic auditors last week, 18F, which is responsible for vetting software for agency use, enabled unauthorized technologies during a five-month period ending in March, “potentially exposing sensitive content such as personally identifiable information and contractor proprietary information.”
The watchdog said the issue “warrants immediate attention.”
GSA employees working for 18F, the alert noted, are required by internal policy to use Slack, an online messaging and collaboration application, to share files, images, PDFs, documents and spreadsheets. Staff used an authentication and authorization process called OAuth 2.0 to permit sharing of files from GSA’s Google Drives, as well as with other applications. “On March 4, 2016, an 18F supervisor discovered that their use of OAuth 2.0 to authorize access between 18F’s Slack account and GSA Google Drive permitted full access to over 100 GSA Google Drives, resulting in a data breach,” the alert said.
When IG staff questioned the I8F supervisor in May, that supervisor said the team had learned of the breach in March, but the vulnerability had existed since October 2015. Once the problem was recognized and reported to the agency’s senior information security officer, 18F eliminated full access permissions from OAuth 2.0 to GSA Google Drives, the supervisor said.
The alert noted that 18F’s use of both Slack and OAuth 2.0 violated GSA’s Information Technology Standards Profile. “In addition, by delaying the reporting of the data breach by five days, 18F staff failed to comply with the GSA Information Breach Notification Policy,” the IG said, adding that the policy calls for notification in one hour.
“The purpose of this alert is to bring this matter to management’s attention to ensure further vulnerabilities are appropriately mitigated and secured,” the IG said. It recommended that GSA cease using Slack and OAuth 2.0 until they are approved in the IT standards profile and beef up compliance.
It asked GSA to notify the IG within 10 days of remedial steps taken.
An agency spokesperson told Government Executive, “In this case, as part of normal operations, we identified a misconfiguration in one of our collaboration tools. Once identified, we corrected the issue immediately and initiated an internal review that did not identify any data breaches. Additionally, we made our user community aware of the issue to ensure they operate in a manner consistent with our IT policies.”