GSA system showed SSNs for 183K contractors
(MoneyWatch) A software glitch in the government procurement system for contractor work exposed significant amounts of sensitive data of individuals and companies registered as federal contractors -- including Social Security numbers and bank account numbers for 183,000 individuals. The problem could leave many potentially open to a significant threat of identity theft.
The General Services Administration sent an email to parties registered on the System for Award Management, or SAM, on Friday, warning them of the problem, according to a copy obtained by MoneyWatch. The message states that registered SAM users with the proper set of assigned rights "had the ability to view any entity's registration information, including both public and non-public data at all sensitivity levels."
SAM is an attempt to consolidate multiple government procurement systems. It is part of a major e-government presidential initiative from 2002 that was expected to take until 2015 to complete and that had spent $54.8 million in fiscal year 2012. IBM is the contractor that build the system and the GSA has had concerns about the software's performance.
Usually associated with people, identity theft can also target companies in ways that can cost them money and reputation. Identity theft is difficult to correct once it happens. Contractors must provide extensive detailed information about themselves or their organizations, including bank account numbers for payment transfers, tax payer identification and contact details, that could make identity theft relatively easy to accomplish.
Although a GSA spokesperson cited 183,000 users as "most vulnerable," in response to a repeated MoneyWatch question, because they had registered with their Social Security numbers, the tax payer ID and bank account numbers as well as other information leaves all registered users, whether individuals or companies, in danger of identity theft. The GSA did not respond to a repeated question of how many total registered users there were on the system.
According to a GSA bulletin, the software problem was actually discovered on March 8, 2013, and fixed two days later. The GSA notes that it is undertaking a "full security review" of the system. However, there is no information in that public posting of how long the vulnerability existed or why there was a gap of days between fixing the problem and notifying users of the potential of identity theft, and GSA spokespeople did not respond to repeated questions on these topics.
According to the bulletin, the only way people can know if their data was seen and used is to "monitor your bank accounts and notify your financial institution immediately if you find any discrepancies." The GSA will provide "the most vulnerable users (those that use a Social Security Numbers as a Taxpayer Identification Number and that "opted in" to public search) access to credit monitoring services."
Here is the statement the GSA provided in response to a number of questions from MoneyWatch:
Recently, U.S. GSA officials identified a security vulnerability in the System for Award Management (SAM), which could allow some existing users in the system to view certain registration information of other users.Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure. GSA is undertaking a full review of the system and investigating any potential additional impacts to registrants in SAM.
The security of this information is a top priority for this agency and we will continue to ensure the system remains secure.