GSA employee's error exposes entire staff to potential identity theft

An employee at the General Services Administration e-mailed the names and Social Security numbers of the agency’s entire staff to a private e-mail address, leaving GSA workers exposed to potential identity theft, according to published reports.

GSA sent a letter alerting its 12,000 employees in late October, about a month after discovering the breach in September -- and nearly six weeks after it had happened, reported Ashley Southall in a Nov. 6 article in the New York Times. GSA had alerted them earlier via e-mail, but some agency employees told Southall that they often ignored these alerts due to the high volume of alerts they receive.

Previous GCN coverage has shown that e-mail remains the top source for data breaches, according to a survey released by Proofpoint, an e-mail security and data loss prevention company, and conducted by Osterman Research. The biggest data threats come from inside a company, often as a result of accidents or carelessness by employees, according to a survey by Forrester Research.

GSA informed employees that the worker had sent the file accidentally and that it had not been forwarded. GSA technicians removed the information from the recipient’s computer and e-mail, the Times reported.

In the letter, signed by GSA’s CIO Casey Coleman and Gail Lovelace, the agency’s privacy official, GSA provided employees with $25,000 in identity theft insurance coverage and credit monitoring for a year in response to the incident.

GSA’s Inspector General Brian Miller is investigating the incident, the Times reported.

Employees could still be vulnerable after a year and the delay in notifying employees puts them at greater risk, said Jack Hanley, who leads a council representing approximately 4,000 GSA employees who are members of the National Federation of Federal Employees Union, according to the Times.