Watchdog: 18F Caused a 'Data Breach' Using Slack

Rena Schild/Shutterstock.com

The messaging and collaboration application exposed sensitive information to outsiders.

Tech consulting team 18F's Slack account may have exposed sensitive government information to outsiders and resulted in a data breach, a watchdog report says.

18F, a unit inside the General Services Administration made up largely of private sector recruits who whip up digital prototypes and advise other agencies on tech projects, required employees to use the messaging and collaboration application Slack to share content such as spreadsheets and PDFs. Slack has gained significant traction among employees at startups and tech companies. 

Using Slack exposed more than 100 GSA Google Drive accounts -- essentially, storage files -- to outsiders for at least five months, according to a new report from the General Services Administration's Office of the Inspector General. Vulnerable information included personally identifiable information and proprietary information belonging to contractors, the report said. 

The team had been using an authentication protocol known as "OAuth2.0" -- neither Slack nor that protocol had been approved by GSA IT standards, according to the IG. It was the use of this authentication method that exposed the Google drives to potential intrusion.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

An 18F supervisor notified a senior security officer at GSA about the breach five days after it was discovered in early March. According to that supervisor, the vulnerability had existed since October. That appears to have run afoul of GSA's policy on data breaches, which requires all incidents involving personally identifiable information be reported to GSA's chief information security officer's team within one hour of discovery. 

18F has been very public about its use of Slack, announcing in a blog post it had coded a bot in the application to flag potentially sexist phrases -- suggesting the word "guys" be substituted for "people" or "team," for instance. 

Last year, Slack itself disclosed a database storing user information had been exposed to intruders, and subsequently enabled new security features including two-factor authentication and a password "kill-switch" allowing entire teams to automatically reset passwords. The OIG recommended GSA stop using Slack and OAuth 2.0 until they're approved by agency IT standards. 

In an email to Nextgov, a GSA spokesperson referred to the incident as a "misconfiguration in one of our collaboration tools."

After the issue was identified, GSA "initiated an internal review that did not identify any data breaches" and "made our user community aware" of the problem.  

18F and the U.S. Digital Service, a White House tech team, are also the subject of a Government Accountability Office audit, expected to be published in June.