Civic News

Whoops: 18F’s Slack use could have created a data leak

A General Services Administration report found that more than 100 GSA Google Drives were accessible to anyone for a total of five months. In a blog post, 18F says there was no data breach.

18F’s enthusiasm for Slack is well documented. The “business inside the federal government” uses the online communication tool to connect a disparate team, encourage an inclusive office culture and even onboard new employees.
But a new report from the General Services Administration’s Office of Inspector General says 18F’s Slack account may have accidentally exposed a bunch of government information to outsiders.
Apparently, 18F shares Google Drive files on Slack, and uses a program called OAuth 2.0 to authorize access. Unfortunately, that’s not so secure. Per the report, the “use of OAuth 2.0 to authorize access between 18F’s Slack account and GSA Google Drive permitted full access to over 100 GSA Google Drives.”
In the report the Office of Inspector General states that “18F’s use of both OAuth 2.0 and Slack is not in compliance with GSA’s Information Technology Standards Profile,” and urges GSA to stop using Slack.
The report was published on Thursday, and 18F responded on Friday afternoon with a thorough blog post explaining the issue. Critically, they claim that “to our knowledge no sensitive information was shared inappropriately.”
18F admits that integrating Google Drive with Slack was a mistake, and one that was rectified as soon as it was noticed which, yes, was five months after an administrator first enabled the configuration.
Despite the OIG’s concern, however, 18F maintains that there was no data breach:

Upon discovering that this integration had been accidentally enabled, we immediately removed the Google Drive integration from our Slack, and then we reviewed all Google Drive files shared between Slack and Drive, just to be sure nothing was shared that shouldn’t have been. Our review indicated no personal health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property was shared.

18F’s blog post does not address the OIG’s assertion that Slack is not in compliance with GSA’s Information Technology Standards.
Read the OIG’s full report here, and 18F’s response here.

Companies: 18F

Before you go...

Please consider supporting Technical.ly to keep our independent journalism strong. Unlike most business-focused media outlets, we don’t have a paywall. Instead, we count on your personal and organizational support.

3 ways to support our work:
  • Contribute to the Journalism Fund. Charitable giving ensures our information remains free and accessible for residents to discover workforce programs and entrepreneurship pathways. This includes philanthropic grants and individual tax-deductible donations from readers like you.
  • Use our Preferred Partners. Our directory of vetted providers offers high-quality recommendations for services our readers need, and each referral supports our journalism.
  • Use our services. If you need entrepreneurs and tech leaders to buy your services, are seeking technologists to hire or want more professionals to know about your ecosystem, Technical.ly has the biggest and most engaged audience in the mid-Atlantic. We help companies tell their stories and answer big questions to meet and serve our community.
The journalism fund Preferred partners Our services
Engagement

Join our growing Slack community

Join 5,000 tech professionals and entrepreneurs in our community Slack today!

Trending

Trump may kill the CHIPS and Science Act. Here’s what that means for your community.

14 tech community events to be thankful for in November

With fewer federal employees working downtown, DC explores new ways to boost the local economy 

How 4 orgs give back to their local tech community

Technically Media