recommended reading

Watchdog: 18F Caused a 'Data Breach' Using Slack

Rena Schild/Shutterstock.com

Tech consulting team 18F's Slack account may have exposed sensitive government information to outsiders and resulted in a data breach, a watchdog report says.

18F, a unit inside the General Services Administration made up largely of private sector recruits who whip up digital prototypes and advise other agencies on tech projects, required employees to use the messaging and collaboration application Slack to share content such as spreadsheets and PDFs. Slack has gained significant traction among employees at startups and tech companies. 

Using Slack exposed more than 100 GSA Google Drive accounts -- essentially, storage files -- to outsiders for at least five months, according to a new report from the General Services Administration's Office of the Inspector General. Vulnerable information included personally identifiable information and proprietary information belonging to contractors, the report said. 

The team had been using an authentication protocol known as "OAuth2.0" -- neither Slack nor that protocol had been approved by GSA IT standards, according to the IG. It was the use of this authentication method that exposed the Google drives to potential intrusion.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

An 18F supervisor notified a senior security officer at GSA about the breach five days after it was discovered in early March. According to that supervisor, the vulnerability had existed since October. That appears to have run afoul of GSA's policy on data breaches, which requires all incidents involving personally identifiable information be reported to GSA's chief information security officer's team within one hour of discovery. 

18F has been very public about its use of Slack, announcing in a blog post it had coded a bot in the application to flag potentially sexist phrases -- suggesting the word "guys" be substituted for "people" or "team," for instance. 

Last year, Slack itself disclosed a database storing user information had been exposed to intruders, and subsequently enabled new security features including two-factor authentication and a password "kill-switch" allowing entire teams to automatically reset passwords. The OIG recommended GSA stop using Slack and OAuth 2.0 until they're approved by agency IT standards. 

In an email to Nextgov, a GSA spokesperson referred to the incident as a "misconfiguration in one of our collaboration tools."

After the issue was identified, GSA "initiated an internal review that did not identify any data breaches" and "made our user community aware" of the problem.  

18F and the U.S. Digital Service, a White House tech team, are also the subject of a Government Accountability Office audit, expected to be published in June. 

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.