The SAM.gov federal website that registers thousands of federal contractors has been hit by an alleged fraud, General Services Administration (“GSA”) officials announced on March 22.
Since 2012, federal contractors have been required to register in the System for Award Management, or SAM.gov (formerly CCR/ORCA, which was phased out), and to provide detailed company information, including sensitive information such as bank account numbers. If you want to be paid by the federal government (or even the possibility of getting paid), you must provide this information and be registered and up to date in SAM.gov.
The suspected fraud involved payments from the government that were improperly diverted to third-party accounts. At this time, GSA believes “only a limited number” of companies have been affected, and they have been notified. Accordingly, if you have NOT received an email from Sam.gov that made you spit out your coffee, presumably your information is safe, although from the GSA’s statement it appears that more notifications of individual breaches may be coming.
The GSA, in its March 22 statement, urged contractors to review their bank information to determine if their account was affected. “Entities should contact their federal agency awarding official if they find that payments, which were due their entity from a federal agency, have been paid to a bank account other than the entity’s bank account,” GSA wrote. If an entity suspects a payment due them from a Federal agency was paid to a bank account other than their own, they should contact the Federal Service Desk at www.fsd.gov, or by telephone at 866-606-8220 (toll free) or 334-206-7828 (internationally), Monday through Friday from 8 a.m. to 8 p.m. (EDT). Accordingly, check your bank statement to make sure everything is as it should be. Now! Don’t assume the government properly identified you as safe from the breach, and properly omitted to send you a notice.
GSA confirmed that its Office of Inspector General is investigating the suspected fraudulent activity. The affected accounts have been deactivated and systems modifications are being made to prevent further fraudulent activity.
For new registrations, GSA is now requiring an original, signed notarized letter identifying the authorized Entity Administrator for the entity associated with the DUNS number before a new SAM.gov entity registration will be activated.
This is the worst breach of SAM.gov yet. Back in 2013, a glitch in the system enabled those using its search function to access sensitive information, but there were no reported incidents of resulting theft. While right now, the details are sketchy, soon there should be information relating to the number of contractors affected and the amount of funds diverted.
For more information, access the GSA statement here.
For updates and other information that affects federal government contractors, follow Sarah Schauerte’s legal blog at: https://legalmeetspractical.com.
Another reminder that the internet is a wonderful tool, but you have to diligently guard your data or it’ll escape into the wild!