Watchdog: 18F's Slack security exposed GSA data

This story has been updated with additional comments from Slack and 18F.

18F's use of an open source authentication tool may have exposed sensitive information in what the General Services Administration's watchdog is calling a data breach.

In a May 12 management alert, the GSA Office of Inspector General said 18F was using unauthorized tools and failed to report data exposure promptly.

"Due to authorizations enabled by GSA 18F staff, over 100 GSA Google Drives were reportedly accessible by users both inside and outside of GSA during a five month period, potentially exposing sensitive content such as personally identifiable information and contractor proprietary information," the IG's office reported.

In a statement provided to FCW, a GSA spokesperson said the agency had directed users to "operate in a manner consistent with our IT policies," and indicated that there did not appear to have been improper data use.

An 18F supervisor discovered the inappropriate access on March 4, the IG's report said, but did not report it to GSA's senior agency information security officer until March 9. The vulnerability has existed since October 2015, and the IG's office learned of the breach on May 5.

The access was facilitated by 18F's use of OAuth 2.0 to link 18F's Slack account to GSA Google Drives.

The IG reported that 18F has now eliminated the overbroad authorizations.

The report noted that neither Slack, the internal communications platform used heavily by 18F, nor OAuth 2.0, are approved for use under GSA guidelines. Further, the IG report noted that 18F failed to notify GSA security leadership of the breach within the one-hour timeframe under GSA policy.

Whether 18F continues to use Slack, a platform that many private-sector companies swear by and which 18F uses at its default communications platform, remains to be seen. The IG report called for use to cease until GSA officially approves Slack and OAuth. The GSA spokesperson did not explicitly say whether Slack use had been nixed.

"In this case, as part of normal operations, we identified a misconfiguration in one of our collaboration tools," the GSA spokesperson said. "Once identified, we corrected the issue immediately and initiated an internal review that did not identify any data breaches."

The IG's office did not immediately respond to a request to clarify whether it had evidence data had actually been accessed inappropriately, or whether it had simply been made vulnerable.

The IG's report gives GSA 10 days to respond with details of its response.

Update: In a May 13 statement, a Slack spokesperson noted that Slack integrates with Google Drive, but does not override permissions that users set within Drive.

"The issue reported this morning by the GSA Office of the Inspector General does not represent a data breach of Slack, and customers should continue to feel confident about the privacy and security of the data they entrust to Slack," the spokesperson also noted.

18F, for its part, published a blog post acknowledging some sloppy security.

"[T]o our knowledge no sensitive information was shared inappropriately," wrote 18Fers Aaron Snow and Noah Kunin. "Enabling this integration was a mistake, but the consequences were not a data breach or hack."

Snow and Kunin said the settings in place had allowed GSA Google Drive files to wind up in Slack's databases, but that that access has now been closed and, as far as they could tell, no private personal information had been exposed.

They did not say whether 18F would suspend its use of Slack until formal GSA approval could be secured.

The Slack spokesperson did not speak specifically to 18F and GSA's policies, but said the company works to try to meet different federal users' requirements. "Slack is actively exploring FEDRAMP approval to help make Slack more readily accessible to Federal Civilian Agencies," the spokesperson told FCW.