Contractor Site User Uncovered GSA Data Compromise
March 20, 2013
A user of an online federal contracting registry found a way of bypassing security controls to see every contractor’s personal and proprietary data, prompting the government to alert registrants about possible fraud, according to the General Services Administration, the owner of the system.
IBM, which operates the registry, known as the System for Award Management, or SAM, failed to discover the issue. GSA's continuous monitoring program that tracks computer protections agencywide and Einstein, the Homeland Security Department's intrusion prevention system, did not document a threat. It is unknown whether a scammer spotted the defect first.
"A SAM user alerted us to the vulnerability," GSA spokeswoman Jackeline Stewart told Nextgov. She did not identify the individual. The person described the problem to GSA on March 8 and the agency patched the system two days later.