Cyber vulnerability in GSA's SAM portal exposes vendors' data

Friday - 3/15/2013, 6:13pm EDT

The General Services Administration's System for Award Management potentially exposed users' information, including some Social Security numbers and bank-account information, to the public because of a cybersecurity vulnerability.

In an email to SAM users obtained by Federal News Radio, GSA's Amanda Fredriksen, the acting assistant commissioner for the Integrated Award Environment, told vendors the agency applied a software patch as soon as GSA discovered the problem. The agency stated on its Integrated Acquisition Environment (IAE) website that the vulnerability was reported on March 8 and fixed on March 10.

"The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others," Fredriksen wrote. "Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge."

GSA spokeswoman Jackeline Stewart said in an email to Federal News Radio, "GSA is undertaking a full review of the system and investigating any potential additional impacts to registrants in SAM. The security of this information is a top priority for this agency and we will continue to ensure the system remains secure."

On the IAE website, GSA stated, "To date, GSA has no evidence that registrants' data was improperly used, changed or lost. Information was not editable by any users other than the authorized administrator for the entity."

This becomes yet another hiccup for SAM. GSA has been trying to consolidate eight procurement systems — including the Central Contractor Registration, the Past Performance Information Retrieval System and six others — for the past three years.

GSA and its contractor, IBM, planned to take SAM live early last summer, but had to delay full production by two months after problems surfaced. Even after the launch, SAM struggled, causing GSA to issue IBM a letter of concern about SAM's performance.

GSA moved the oversight and implementation of SAM to the Federal Acquisition Service from the Office of Governmentwide Policy in October and increased the resources going to it.

SAM has improved over the last few months though some vendors still have problems using it.

Now, this potential data breach is another challenge for the system.

"We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this situation," Fredriksen wrote. "The security of your information is a critical priority to this agency and we are working to ensure the system remains secure. We will keep you apprised of any further developments."

RELATED STORIES:

GSA hires IBM to consolidate procurement databases

GSA sending resources, expertise to rescue SAM

GSA issues IBM a letter of concern for problems with procurement system