A user of an online federal contracting registry found a way of bypassing security controls to see every contractor’s personal and proprietary data, prompting the government to alert registrants about possible fraud, according to the General Services Administration, the owner of the system.
IBM, which operates the registry, known as the System for Award Management, or SAM, failed to discover the issue. GSA’s continuous monitoring program that tracks computer protections agencywide and Einstein, the Homeland Security Department’s intrusion prevention system, did not document a threat. It is unknown whether a scammer spotted the defect first.
“A SAM user alerted us to the vulnerability,” GSA spokeswoman Jackeline Stewart told Nextgov. She did not identify the individual. The person described the problem to GSA on March 8 and the agency patched the system two days later.
GSA had awarded IBM a $74 million contract to build and maintain the tool for eight years, beginning in 2010. The agency this week said it would seek redress.
Keep reading this article at: http://www.nextgov.com/cybersecurity/2013/03/contractor-site-user-uncovered-gsa-data-compromise/61973/?oref=nextgov_today_nl.
- For the latest news involving SAM, please visit: http://contractingacademy.gatech.edu/tag/sam