On March 17, I noted that the General Services Administration (GSA) had disclosed a vulnerability in the System for Award Management (SAM), which could allow some existing users in the system to view certain registration information of other users. The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. And for a subset of users, Social Security numbers were involved (instead of TINs).
Because they did not disclose how many people were affected and notified, I filed a Freedom of Information request on March 17. Today, I received an answer:
This is in response to your Freedom of Information Act (FOIA) request (GSA number 238978), dated March 17, 2013, in which you requested “specific record(s) that indicate the number of users who will be notified of the vulnerability discovered on March 8 and disclosed on GSA’s web site on March 16 at http://www.gsa.gov/protal/content/167851.”
The U.S. General Services Administration (GSA) notified the entire System Award Management (SAM) user base of the security vulnerability discovered on March 8, 2013, which was over 700,000+ entities.
[…]