18F: Slack Incident Wasn’t a ‘Data Breach'

A screenshot of the Slack website.

A screenshot of the Slack website.

The tech team responded to the IG report saying a security vulnerability within Slack was fixed, and that data wasn’t exposed.

Federal tech team 18F says a configuration within the Slack application didn’t expose employees' sensitive personal information to outsiders and shouldn't be considered a data breach -- contrary to a recent watchdog report.

18F employees are required to use messaging system Slack for internal communication. An accidentally-enabled setting within the application added links to Google Docs from those conversations to Slack’s searchable database, according to an 18F blog post.

A report from GSA’s Office of the Inspector General concluded the setting may have exposed more than 100 Google Drive accounts to unauthorized access, resulting in a “data breach.” The types of information potentially exposed included personally identifiable information and contractors' proprietary information. 

That setting was enabled for at least five months, according to the IG report.

While the configuration “was a mistake,” the 18F post said, “the consequences were not a data breach or hack” and an internal review found “no sensitive information was shared inappropriately.”

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

However, 18F’s contention that the incident didn’t amount to a data breach appears to be at odds with GSA’s own definition of the term. 

A 2015 GSA policy defines "data breach" as the “loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access" of information, "where persons other than authorized users with an authorized purpose have access or potential access to [personally identifiable information]." (emphasis added). 

18F, which asserted it fixed the Slack setting immediately after discovery, did not explain in the post how it could confirm no sensitive information was shared and did not respond to Nextgov’s request for clarification.

It also did not comment on the IG’s claim that an 18F supervisor waited five days before notifying a senior agency information security officer about the potential breach. GSA policy requires notification within one hour of discovery.

The IG report had also recommended 18F stop using Slack and an associated authentication protocol until both are approved by GSA’s IT standards. 18F did not respond to Nextgov’s questions about plans to comply with those recommendations.

In a statement emailed to Nextgov, a Slack spokesperson said the incident “does not represent a data breach of Slack, and customers should continue to feel confident about the privacy and security” of their data.