Security Breach of Employee Data at GSA
11/08/10 12:44 pm ET
An employee at the General Services Administration accidentally sent the names and Social Security numbers of the agency’s staff to a private e-mail address, The New York Times reported on Saturday. GSA, which employs more than 12,000 people, is going to pay for one-year of credit monitoring and up to $25,000 in identify threat insurance coverage, according to the news report.
The breach occurred when a worker apparently accidentally transmitted the file containing the personal data while seeking “work-related assistance.” The computer that received the data was scrubbed clean by GSA technicians.
The Times reports there is a discrepancy between when employees were notified and the breach. Although the breach occurred in late September, GSA employees told the Times they did not learn of the breach until early November, putting them “at greater risk.”
The inspector general is investigating he incident.
GSA IG investigating breach of employee data By NICOLE BLAKE JOHNSON November 9, 2010
General Services Administration Inspector General Brian Miller is investigating an e-mail system breach in which the names and Social Security numbers of more than 12,800 GSA employees were accidentally sent to a private e-mail account in September.
As of Nov. 2, the agency’s e-mail system, LotusNotes, blocks e-mails from traveling outside of the agency’s firewalls when the messages contain unencrypted Social Security numbers, according to an internal memo sent to GSA employees and contractors.
“There is an investigation going on,” Miller confirmed but would not discuss further.
The National Federation of Federal Employees Council of GSA locals, which represents about 4,000 employees, is concerned about delays in informing employees of the breach.
“I believe there was a significant lapse before the employees were told about this, and that’s really a big problem,” said Jack Hanley, president of the council. “How long it [personal information] was out in the public eye isn’t clear.”
The breach occurred Sept. 16, but wasn’t discovered until nearly a week later when security workers were reviewing e-mail logs, according to an internal document obtained by Federal Times. GSA first notified employees via an electronic “security alert” Sept. 28, but some employees weren’t aware of the breach until receiving a letter — dated Oct. 25 — from GSA’s chief information officer Casey Coleman and senior agency official for privacy Gail Lovelace.
Employees were told in the Oct. 25 letter that a worker sent a file containing the names, Social Security numbers, regions, duty stations and organizational codes to a private e-mail account “for work-related assistance.” In earlier notifications, GSA said the “overall risk is low,” because the workers involved were cooperative after being notified by GSA, and the agency’s information technology specialists deleted the information from both e-mail accounts and laptops.
The agency has provided employees with one year of free credit monitoring and $25,000 in identity theft insurance coverage.
Hanley said the union will ask GSA to extend the credit monitoring service for 10 years because employees are vulnerable to identity theft for much longer than one year.
Calls to GSA’s press secretary were not returned.
@Charlie. Sorry I don’t have an answer for you (I’m actually a State Gov’t employee). I would suggest contacting your HR dept.