GSA IT gaps leaked personal information, OIG says


A series of four audits by the General Services Administration’s inspector general have found that the agency’s cloud computing system made personally identifiable information accessible to employees and contractors not authorized to have it.

The audits, which were instituted after the OIG found multiple instances where sensitive information was accessible on GSA’s cloud computing system, date back to 2014 and were publicly released on Jan. 27.

“We did not make these reports public at the time we provided them to GSA management because of concerns that the reports presented information about then existing security vulnerabilities,” the OIG said in a statement.

“Because these concerns no longer exist, we are now making all reports available publicly as of Jan. 27, 2017. The release of this report does not imply that a new event has occurred.”

The audits detail how the OIG identified security gaps in its use of Google cloud computing tools — including Google Docs and Google Groups — to reveal both the personal information of employees and contractors, as well as sensitive building information.

The reports, which are now online at the GSA OIG website, found:

In 2014, sensitive but unclassified information about several GSA facilities was accessible through the agency’s Google Cloud computing environment, including Child Care Center emergency evacuation plans, courthouse vulnerability assessments of explosive blast loads and the location of judges’ chambers, a FBI pre-lease security plan detailing a building’s water supply, building automation schematics and security and mail screening procedures for a National Nuclear Security Administration campus.

Following the discovery that the information was accessible, the Public Buildings Service did not provide sufficient evidence that it had informed those affected by the unauthorized access that their information was compromised.

A 2015 report that the personally identifiable information of “907 government employees, contractors and job applicants was accessible Agency-wide,” including Social Security numbers, passport and driver’s license numbers, birthdates, home addresses, personal email addresses, telephone numbers, and medical and dietary needs.

Upon the discovery that the information was unintentionally accessible, GSA did not provide signed Memorandums of Understanding from the Google site owners accepting responsibility for owning and operating the sites.

GSA would later go on to correct the MOU issue with “an instructional letter related to the management of its Google Sites,” it also contacted individuals affected and instituted a risk-based strategy to handle the sensitive information.

GSA was among the first federal agencies to adopt cloud computing as part of its operations.