The General Services Administration‘s inspector general has found that the 18F digital services organization experiencedÂ a data breach due to the use of systems that are not approved under GSA’s Information Technology Standards Profile.
GSA IG said in a management alert report issued ThursdayÂ that at least 100 GSA Google Drives have been exposedÂ to externalÂ users since October 2015 because ofÂ OAuth 2.0.
18F employees useÂ the authorization system to share files betweenÂ Google Drive andÂ the online messaging and collaboration application Slack.
The IG added that the breach potentially compromisedÂ personally identifiable information and contractor proprietary data to people outside GSA.
According to the report, an 18F surpervisor discovered the breach on March 4 and reported the vulnerability on Mar. 9 to theÂ GSA senior agency information security officer.
OAuth 2.0 andÂ Slack are not compliantÂ with GSA Order CIO P 2160.1E, which requires the evaluation ofÂ IT products and services againstÂ the agency’sÂ security, legal and accessibility needsÂ toÂ approve their useÂ underÂ the GSA IT standards profile, the report added.
GSA IG saidÂ 18F also failed to comply with the agency’sÂ information breach notification policy, which requires personnel to report all uncoveredÂ or suspected breach of PIIÂ within an hour of discovery.
The report recommended forÂ GSA to stopÂ the use of Slack and OAuth 2.0 unless they are approved for use in the IT standards profile and toÂ ensure 18F followsÂ GSA Order CIO P 2160.1E.