«

»

Mar
16

Oh Joy! – security vulnerability in the System for Award Management (SAM)

If you go after government grants like SBIR, STTRs etc you will have likely received the following email in the last 24hrs alerting you a security vulnerability in the US governments System for Award Management..just look at the kinds of data that was exposed “The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others.

Its really nice that they spotted this vulnerability and I do feel reassured by the statement “We apologize for any inconvenience or concern this situation may cause.” Why even bother about hackers, just leave the door open and have a nice sign saying ‘come and rip off all the data you need while you are at it..’

One word can describe this, “incompetant”. I somehow do not think the ‘Acting Assistant Commissioner’ will be there much longer.

Here is the email

Dear SAM user

The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA.  Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels.

Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure. Â As a precaution, GSA is taking proactive steps to protect and inform SAM users.

The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others.

Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge.

In the meantime, we wanted you to be aware of certain steps that all SAM users may want to take to protect against identity theft and financial loss. Specific information is available at www.gsa.gov/samsecurity. Â If you would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8 p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies.

We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this situation. The security of your information is a critical priority to this agency and we are working to ensure the system remains secure. We will keep you apprised of any further developments.

Sincerely,

Amanda Fredriksen
Acting Assistant Commissioner
Integrated Award Environment

No comment yet

1 ping

  1. Wendy Warr says:

    I was just rejoicing at being re-registered in SAM, after many glitches post-ORCA, CCR etc.) when I too got the jolly SAM security message.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>