GSA employee's error exposes entire staff to potential identity theft

Agency is offering one year of insurance

An employee at the General Services Administration e-mailed the names and Social Security numbers of the agency’s entire staff to a private e-mail address, leaving GSA workers exposed to potential identity theft, according to published reports.

GSA sent a letter alerting its 12,000 employees in late October, about a month after discovering the breach in September -- and nearly six weeks after it had happened, reported Ashley Southall in a Nov. 6 article in the New York Times. GSA had alerted them earlier via e-mail, but some agency employees told Southall that they often ignored these alerts due to the high volume of alerts they receive.

Previous GCN coverage has shown that e-mail remains the top source for data breaches, according to a survey released by Proofpoint, an e-mail security and data loss prevention company, and conducted by Osterman Research. The biggest data threats come from inside a company, often as a result of accidents or carelessness by employees, according to a survey by Forrester Research.

GSA informed employees that the worker had sent the file accidentally and that it had not been forwarded. GSA technicians removed the information from the recipient’s computer and e-mail, the Times reported.

In the letter, signed by GSA’s CIO Casey Coleman and Gail Lovelace, the agency’s privacy official, GSA provided employees with $25,000 in identity theft insurance coverage and credit monitoring for a year in response to the incident.

GSA’s Inspector General Brian Miller is investigating the incident, the Times reported.

Employees could still be vulnerable after a year and the delay in notifying employees puts them at greater risk, said Jack Hanley, who leads a council representing approximately 4,000 GSA employees who are members of the National Federation of Federal Employees Union, according to the Times.

About the Author

Kathleen Hickey is a freelance writer for GCN.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Thu, Jan 6, 2011 34 year federal employee Denver, CO

As many have already said, how is mailing every employees name and SSN to an outsider address an error? I think that most people above the age of 16 would know that is something you just shouldn't do. A GS-1 on their first day would know that you shouldn't mail this type of info to an outsider! On the other side of the coin, why did this employee have access to names and SSN's if they didn't even know they should never be e-mailed to an outsider? I think GSA needs to come clean and address the many issues they have and explore why it happened, not pretend it didn't. How long CAN you protect "stupid" rather than address it in the proper manner?

Wed, Nov 10, 2010

Coleman is the same CIO touting less independence for Agency CISOs. If you can't quash the CISO he/she may make recommendations to prevent things like DLP.... Don't worry tough.. soon enough GSA will be moving all their email into the cloud and then all will be well.

Wed, Nov 10, 2010 Contractor Federal Agency

Just how accidential is gathering 12000 names and their corresponding SSNs, putting them into an email addresses to an OUTSIDER and sending it. Does that OUTSIDER have the same Outlook Nickname as the GSA CIO, CFO, CEO ?

Tue, Nov 9, 2010 Bruce

I would not blame the employee entirely. One can never get rid of human error completely. There are software that would automatically catch this type of violation, quarantine the email and notify a compliance officer. Sendmail Inc., for one, is a provider of data leakage protection software for email communications. How about spending out tax dollars where it makes sense.

Tue, Nov 9, 2010

This article did not mention the accountability for the employee actions. This should be an automatic firing offense. I have had this same issue with the Commerce Department and twice with the Veterans. As far as I could tell the responsible individuals only received a slap on the hand. There is no excuse to put this information in any type of compromising situations.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group