Legal Meets Practical: Accessible Solutions
16 Mar 2013

ALERT: Vulnerability in the System for Award Management (SAM) Reported

On Friday, March 15, the General Services Administration (GSA) reported a security vulnerability in the System for Award Management (SAM). For a period of time not specified, registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels. This vulnerability was discovered on March 8th, and on March 10th the GSA implemented a software patch to close the exposure. It later sent out a mass email to all SAM registrants.

As noted in the email release, this exposed data contained identifying information, including: names; taxpayer identification numbers (TINs) including Federal Employer Identification Numbers (FEINs) and social security numbers; marketing partner information numbers; and bank account information. The GSA has not, however, specified for how long this information was viewable.

Registrants using their social security numbers instead of a TIN were identified as being at a greater risk for potential identity theft. These registrants include sole proprietorships and solo member limited liability companies. These registrants were advised to monitor their bank accounts, and to immediately contact their financial institutions if they noted any discrepancies. They were also given free access to credit monitoring services.

This security vulnerability is worrying for a number of reasons. Thousands of SAM registrants were affected by the vulnerability, and yet they were not alerted until seven days after it was discovered. Also, while the issue was reported to the GSA on March 8th, it was not resolved for two days. Last, while registered SAM users are aware of the incident, there is no way they can know whether their information was compromised. Rather, they must monitor their credit and banking information to make sure that they do not become victims of identity theft.

Who knew that agreeing to do business with the federal government included consent to be exposed to identity theft?

SAM users can access the GSA’s System for Award Management Security Vulnerability FAQ webpage here. If you would like additional background or have questions, the FAQ webpage provides a contact number that is in service from 8:00 AM to 8:00 PM beginning March 18.

Did you find this article informative? If so, sign up for my weekly blog on my home page!

 

Posted in Uncategorized | Comments Off on ALERT: Vulnerability in the System for Award Management (SAM) Reported

Comments are closed.

Mission Statement

My mission is to provide accessible, high-quality legal services to small business owners and to veterans. I will strive to clearly communicate, understand objectives, and formulate and execute effective legal solutions.

Disclaimer

No Attorney-Client Relationship

This website is maintained exclusively for informational purposes. It is not intended to provide legal or other professional advice and does not necessarily represent the opinions of the lawyer or her clients. Viewing this site, using information from it, or communicating with Sarah Schauerte through this site by email does not create an attorney-client relationship.

Non-Reliance

Online readers should not act nor decline to act, based on content from this site, without first consulting an attorney or other appropriate professional. Because the law changes frequently, this website's content may not indicate the current state of the law. Nothing on this site is meant to predict or guarantee future results. I am not liable for the use or interpretation of information contained on this website, and expressly disclaim all liability for any actions you take or fail to take, based on this website's content.

Links

I do not necessarily endorse and am not responsible for content accessed through this website's links to other Internet resources. Correctness and adequacy of information on those sites is not guaranteed, and unless otherwise stated, I am not associated with such linked sites.

Contacting Me

You may email me through the email address provided by this site, but information you send through email or this website is not secure and may not be confidential. Communications will not be treated as privileged unless I already represent you. Do not send confidential information until you have established a formal attorney-client relationship with me. Even if I represent you, please understand that email security is still uncertain and that you accept all risks of such uncertainty and potential lack of confidentiality when you send us unencrypted, sensitive, or confidential email. Email from me never constitutes an electronic signature, unless it expressly says so.