The General Services Administration hasn’t been able to locate eight agency employees or contractors and notify them that their information was compromised in a 2014 breach.
GSA’s inspector general released a series of audits from 2015 last week that revealed details about the 2014 breach in the agency’s Google cloud computing environment, which the IG says affected 907 employees, contractors and job applicants, and made sensitive but unclassified building information accessible to contractors and employees without “a need to know the information.”
“Our limited review of GSA’s Google cloud computing environment, which contains approximately 3.8 million documents, disclosed personally identifiable information that was accessible to employees and contractors without a valid need to know the information,” Marisa Roinestad, associate deputy assistant inspector general for auditing, wrote in the Jan. 29, 2015, audit. “As a result, the [Office of the CIO, who was then Sonny Hashmi] determined that the PII of at least 907 government employees, contractors, and job applicants was accessible Agency-wide.”
The audits weren’t release in 2015 because they “presented existing security vulnerabilities,” the audits says, but were released Jan. 27 because the concerns “no longer exist.”
The IG found the vulnerabilities to be associated with GSA’s Google Groups, Sites and Docs apps, which it said had “improper access settings.” Information accessible in the breach included full or partial Social Security numbers, passport and driver’s license numbers, birth dates and home addresses.
GSA issued breach notifications to the affected people whom it could locate, but the IG initially found those notifications to be inadequate, because they didn’t include information on the timeframe, description and date of the breach, or the actions the agency was taking to investigate it. The agency also described the breach with a “false sense of security,” the 2015 audit said, because the notification explained “that exposed information ‘never went outside the GSA
firewall,'” though it couldn’t ensure that sensitive information wasn’t taken outside the agency.
In a follow-up implementation review released with the original audit last week, the IG found the agency still hasn’t been able to reach eight people affected by the breach.
“For the remaining 8 individuals, the search results did not provide GSA with an acceptable level of confidence to attempt to contact them,” the review says. ‘Therefore, the Agency should determine whether it will take additional action to locate and communicate with these individuals.”
Additionally, the sensitive building information disclosed in the breach included emergency plans for child care centers, courthouse blueprints with vulnerability assessments and the locations of judges’ chambers, details about GSA’s building automation system, and more.
According to the initial 2015 report, GSA defines a data breach as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users with an authorized purpose have access or potential access to Personally Identifiable Information, whether physical or electronic.”
GSA moved agencywide to the cloud in June 2011 through a contract with Google.
GSA is working to remediate the pending actions in the review, but otherwise did not comment on the audit.