The General Services Administration‘s inspector general has found that the 18F digital services organization experienced a data breach due to the use of systems that are not approved under GSA’s Information Technology Standards Profile.
GSA IG said in a management alert report issued Thursday that at least 100 GSA Google Drives have been exposed to external users since October 2015 because of OAuth 2.0.
18F employees use the authorization system to share files between Google Drive and the online messaging and collaboration application Slack.
The IG added that the breach potentially compromised personally identifiable information and contractor proprietary data to people outside GSA.
According to the report, an 18F surpervisor discovered the breach on March 4 and reported the vulnerability on Mar. 9 to the GSA senior agency information security officer.
OAuth 2.0 and Slack are not compliant with GSA Order CIO P 2160.1E, which requires the evaluation of IT products and services against the agency’s security, legal and accessibility needs to approve their use under the GSA IT standards profile, the report added.
GSA IG said 18F also failed to comply with the agency’s information breach notification policy, which requires personnel to report all uncovered or suspected breach of PII within an hour of discovery.
The report recommended for GSA to stop the use of Slack and OAuth 2.0 unless they are approved for use in the IT standards profile and to ensure 18F follows GSA Order CIO P 2160.1E.