Personal data of thousands of GSA employees at risk

The personal information of thousands of federal workers is at risk after a General Services Administration worker mistakenly sent the names and Social Security numbers of all of the agency's 12,000 employees to a private e-mail account.

The incident occurred Sept. 16, and GSA security officials learned about it Sept. 22 in a weekly e-mail security report, a spokeswoman said. Workers first learned of the data breach in an agency-wide e-mail sent Sept. 28.

GSA would not say why it waited 12 days to inform workers of the breach. The agency is offering free credit monitoring for a year and $25,000 in identity theft insurance coverage to all workers, according to a letter sent to employees Oct. 25.

The incident was not caused by a system-wide security failure but by "one person who didn't make a good decision," said GSA spokeswoman Sara Merriam. She could not immediately say whether the worker who mistakenly sent the e-mail faced any disciplinary action.

GSA's Office of Inspector General is investigating the incident, a spokesman said.

"I'm very concerned that that situation could have happened at all, and then, of course, once it happened, employees needed to know right away to ensure their credit was protected," said John Hanley, president of the National Federation of Federal Employees union, which represents GSA workers. "I think they should have done something sooner, and they should have advised all employees immediately when they learned there was a breach."

Personal security breaches have happened several times in recent years. Hackers breached the USAJobs.gov federal jobs database in January 2009, compromising user IDs, passwords, names and addresses. The personal information of about 45,000 Federal Aviation Administration workers was compromised in February 2009.

The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed in July 2009, and the department faced criticism in January for waiting seven weeks to inform employees of a December 2009 data breach.

GSA is blocking the delivery of agency e-mails that contain unencrypted Social Security numbers or messages containing numbers formatted in a similar fashion, Merriam said.