The General Services Administration reported a security vulnerability in its new vendor system that put the social security numbers of thousands of government contractors at risk.
On March 8, a registered user of the GSA’s System for Award Management (SAM) alerted the agency that it was possible for other registered users to “access certain registration information of other entities” following a “unique series of steps”.
Vendors who use their social security numbers as their federal taxpayer identification number (TIN), and opted-in to public search within the system, were considered the most vulnerable for identity theft.
The agency estimated that at the time of the security patch, approximately 183,000 users were at greater risk due to the vulnerability, GSA spokesperson Jackeline Stewart told TheDC.
“The registered user would have had to have been an authorized Entity Administrator or Entity Registration Representative”, said Stewart.
“A casual browser from the outside would not be able to view any sensitive data”, she said.
The GSA said that the patch was issued “as soon as the vulnerability was identified” and that it is “undertaking a full review of the system to investigate and address any additional impacts to registrants in SAM.”
Registered vendors — both active and non-active — were notified by the GSA about the vulnerability over the weekend. The agency is also offering users identified to be at greater risk access to credit monitoring services.
SAM is part of a GSA effort that began in 2008 to consolidate several of the federal government’s vendor management systems. At that time, the agency estimated that the project would cost $95.8 million to modernize the system.
The Government Accountability Office (GAO), however, estimated in March 2012 that the project would actually cost $181.1 million by the time it was finished – estimating that it would cost between $8 million – $9 million in annual hosting costs.
A letter sent by GSA to IBM, who is the federal contractor responsible for the development of SAM in August 2012 expressed vendor concerns about the site over functionality and performance issues.
The DOD even began allowing its contractors to use other database systems instead of SAM.
IBM redirected questions about SAM to the GSA.