When I first saw reference to this vulnerability report, I thought it was a non-U.S. situation. But then I realized it was our government. Oops!
Posted on the GSA’s web site, yesterday:
System for Award Management Security Vulnerability
SAM SECURITY ISSUE
March 2013Recently, U.S. GSA officials identified a security vulnerability in the System for Award Management (SAM), which could allow some existing users in the system to view certain registration information of other users.
Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure. GSA is undertaking a full review of the system and investigating any potential additional impacts to registrants in SAM.
The security of this information is a top priority for this agency and we will continue to ensure the system remains secure.
For additional information, see the SAM security vulnerability FAQs. Starting Monday, March 18, at 8 a.m., you may call the FedInfo hotline at 1-800-FED-INFO for immediate support.
- Who was impacted?
Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure. (The most vulnerable users are those that use a Social Security Numbers as a Taxpayer Identification Number and that “opted in” to public search). GSA is undertaking a full review of the system and investigating any potential additional impacts to registrants in SAM.. - When did the security incident take place?
It was reported to GSA on March 8, 2013 and closed on March 10.
- Based on this defect, what information was at risk?
With the recent issue in SAM, it was discovered that by following a unique series of steps an entity record manager could potentially see the sensitive information of another entity. Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge. - Could my data have been changed?
No. Information was not editable by any users other than the authorized administrator for the entity.
- How do I know if my data was exposed? (At-risk user vs. general user)
We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies.
- Why did this happen?
This issue was the result of a system security vulnerability in the System for Award Management (SAM). The defect has been resolved so that no information is viewable by unauthorized users, and the system is being thoroughly reviewed to determine what additional security safeguards and protocols should be implemented.
- What should I do if I suspect my information was viewed?
Those entities that are identified to be at greater risk will receive a separate email communication regarding credit monitoring resources that will be made available to them at no charge.
- What is GSA doing to prevent this from happening in the future?
Protecting user content is a top priority for GSA. The agency has implemented compensating controls to shut down the security vulnerability and is going through a full security review of SAM.
- What does it mean to Opt Out of the Public Search?
When you register in SAM to do business with the Federal government, you have the choice to not allow your registration information to appear in the normal, public search results. This is called “opting out” of public search. If you do “opt out” of public search, only Federal users that are logged into SAM using their government user account would see your registration information in their search results.If you are a registrant applying for SBA HUBzone or 8a programs, you must allow your record to be searchable in public search. - What kind of relief/correction actions will you take?
GSA will be providing the most vulnerable users (those that use a Social Security Numbers as a Taxpayer Identification Number and that “opted in” to public search) access to credit monitoring services.
The text of the e-mail sent to affected individuals was posted on several web sites, as follows:
‘Dear SAM user
The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels.
Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure. As a precaution, GSA is taking proactive steps to protect and inform SAM users.
The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others.
Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge.
In the meantime, we wanted you to be aware of certain steps that all SAM users may want to take to protect against identity theft and financial loss. Specific information is available at www.gsa.gov/samsecurity. If you would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8 p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies.
We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this situation. The security of your information is a critical priority to this agency and we are working to ensure the system remains secure. We will keep you apprised of any further developments.
Sincerely,
Amanda Fredriksen Acting Assistant Commissioner Integrated Award Environment
I was a contract employee of the US Navy from 2000 – 2002 at the Naval Hospital in Charleston, SC. I am no longer in that position and have no plans to resume a contract position within the government. How can I remove my information from the SAM system and eliminate future security risks?
Thank you,
Donna Gardner
(724) 294-3169
Looking at their site, I think you need to contact the Federal Service Desk and submit a request to delete the account: https://www.fsd.gov/
Around 10yrs. ago, I was diagnosed with “Early Onset Parkinsons”. One of the problems I’m learning to deal with, is a spotted memory. I don’t remember if CBR contacted me earlier.
Is there some way I could find out if MY personal information was breached ?
300,000 is alot of people, I’ll sleep better knowing my info was not involved…
You could try calling the toll-free they had set up at the time. I don’t know if it’s still working, but the number was 888- 578-4480.