The General Services Administration possibly suffered a data breach by using a popular messaging platform called Slack.
The GSA inspector general issued a management alert May 13 detailing a five-month breach in the 18F organization that potentially exposed “sensitive content such as personally identifiable information and contractor proprietary information” from about 100 Google drive accounts.
Auditors say 18F inappropriately used OAuth 2.0 and Slack in order to share documents, such as PDFs and spreadsheets.
OAuth 2.0 is an open standard for authorization to log on to third party websites using Google, Microsoft, Facebook or other credentials.
“18F’s use of both OAuth 2.0 and Slack is not in compliance with GSA’s Information Technology Standards Profile, GSA Order CIO P 2160.1E,” the IG reported. “The order allows information technologies to be approved for use in the GSA IT environment if they comply with GSA’s security, legal, and accessibility requirements. Currently, neither OAuth 2.0 nor Slack are approved for use in the GSA IT standards profile.”
The IG said 18F also violated GSA policy by delaying its reporting of the cyber incident.
“The notification policy requires that all incidents involving a known or suspected breach of personally identifiable information must be reported to the GSA Office of the Chief Information Security Officer within one hour of discovering the incident,” the audit stated.
The IG found out about the potential breach on May 5 while doing another audit. 18F discovered the breach on March 4, but took five days until it reported the breach to the agency’s chief information security officer.
“The [18f] supervisor told the OIG that although they became aware of the data breach in March, the vulnerability had been in existence since October 2015,” the report stated. “The supervisor also advised the OIG that the full access OAuth 2.0 permissions between the GSA Google Drives and 18F’s Slack account have since been eliminated.”
A GSA spokesperson said in a statement that the agency identified the problem and took corrective action.
“GSA takes cybersecurity very seriously and we appreciate the opportunity to partner with the GSA Inspector General to ensure we maintain a secure environment,” the spokesperson said. “In this case, as part of normal operations, we identified a misconfiguration in one of our collaboration tools. Once identified, we corrected the issue immediately and initiated an internal review that did not identify any data breaches. Additionally, we made our user community aware of the issue to ensure they operate in a manner consistent with our IT policies.”
18F leaders posted a blog after the IG alert came out explaining what happened and how they fixed it.
“Enabling this integration was a mistake, but the consequences were not a data breach or hack,” wrote 18F’s executive director Aaron Snow and Noah Kunin, 18F’s director of Delivery Architecture and Infrastructure. “Upon discovering that this integration had been accidentally enabled, we immediately removed the Google Drive integration from our Slack, and then we reviewed all Google Drive files shared between Slack and Drive, just to be sure nothing was shared that shouldn’t have been. Our review indicated no personal health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property was shared. We make it a practice to regularly remind our team of their onboarding and training, and to always read the fine print when creating an OAuth 2.0 connection — good advice for anyone. Whether you use Google Drive for personal or professional reasons, you should occasionally check if you’re comfortable with what you’re sharing. Most other services that use OAuth 2.0 have a similar setup, including Facebook and Twitter.”
The IG recommended 18F to stop using Slack and OAuth 2.0 and report back to them in 10 days in how they have responded to the management alert.
Security risks through messaging or social media platforms are not a huge concern for many organizations yet.
A 2014 study by Osterman Research and Trustwave found only 6 percent of companies who responded say they had sensitive or confidential data leaked through social media or Web 2.0 platforms.
“[W]hile 62 percent of organizations consider Facebook to be a legitimate application, 42 percent consider it to be risky or extremely risky for use on the corporate network,” the study found. “Moreover … less than one-third of organizations believe that they are ‘very well protected’ against malware and other exploits that might enter through social media.”
But the recognition of risks from social media platforms isn’t new. The federal CIO Council issued guidance in 2009 on secure social media use by agencies. In that document, the council warned against the risks of social media and offered ideas for securing systems, data and networks.
A spokeswoman for Slack reassured its users that the issues reported by the GSA IG do not represent a data breach of the platform.
“Slack leverages the existing Google authentication framework when users integrate Google Drive with Slack,” the spokeswoman said. “This integration allows users to more easily share documents with other team members in Slack. However, only team members who have access to the underlying document from the permissions that have been set within Google can access these documents from links shared in Slack.”