GSA officials, however, say no sensitive information was exposed — at least as far as they know.
An 18F blog post on Friday (yes, the unlucky Friday the 13th) pointed to “a mistake made in the configuration of Slack, an online chat tool we use. We discovered and remedied this issue a couple of months ago. We did a full investigation and to our knowledge no sensitive information was shared inappropriately.” (The emphasis was included in original blog post.)
The blog post was authored by Aaron Snow, 18F’s executive director, and Noah Kunin, 18F’s director of delivery architecture and infrastructure.
If their benign assessment of the mistake’s effect proves accurate, then perhaps one of the more noteworthy things about this incident is the apparent forthrightness of their written explanation.
It is “apparent forthrightness” because the effect of the error remains under investigation. The IG’s office would not confirm the agency’s contention that no data were breached and several questions remain:
- Were the data accessible to anyone other than GSA employees?
- Was this a failure of software or was there any human error or intentional action involved?
- What kind of “personally identifiable information (PII) and contractor proprietary information” potentially was exposed?
- About how many individuals’s PII might have been exposed? Were they employees or others? If others, can you identify the groups of people?
- Information belonging to about how many contractors was exposed?
A spokeswoman for the IG’s office, Sarah S. Breen, said those are good questions, but she provided no answers: “As the review is ongoing, we are still looking into issues such as these.”
GSA press secretary Ashley Nash-Hahn, on the other hand, was definitive in her defense of the agency: “There was no breach of sensitive information.”
She also did not specifically address my questions, but she explained, in bureaucratic fashion, what happened: “As part of normal operations, we identified a misconfiguration in one of our collaboration tools.”
What does that mean? Wording like that isn’t going to win any clear-writing awards.
Contrast that with 18F’s forthrightness.
In October, a GSA worker enabled Slack “to automatically provide document previews when we sent each other links to our GSA Google Drive documents,” Snow and Kunin wrote. “In March 2016, we realized this option was active and it shouldn’t have been — so we disabled the option and took further steps … to correct the issue. Enabling this integration was a mistake, but the consequences were not a data breach or hack.”
The 18F blog looks attractive and is an easy read, unlike many government publications. Yet, that doesn’t necessarily mean that the blog tells the whole story. Both the IG and Congress want more information.
“It is alarming that the very IT geeks charged with helping to modernize federal IT are so casual about safeguarding important data. … It appears these ‘experts’ need to learn a thing or two about protecting sensitive information,” said Rep. Jason Chaffetz (R-Utah), chairman of the House Committee on Oversight and Government Reform. “The Committee intends to further investigate this matter to ensure proper security protocol is followed.”