On March 8, 2023, countless federal contractors and grant recipients awoke to quite a scare after finding strange emails, allegedly from the government, claiming that critical information about their registrations had been changed in the System for Award Management (SAM). If that wasn’t shocking enough, SAM then proceeded to crash the same morning during an “unscheduled website outage,” which prevented users from accessing the platform to verify whether their information was correct. So, was SAM hacked? The government says no, but it’s happened before. For digital pirates, the old adage rings true: where there’s a will, there’s a way. Let’s look at the incident and what federal contractors can do to keep their data safe from cyber criminals and breaches.
Was SAM Hacked?
Attorney Brandon Graves thinks so. He’s a partner at Centre, an award-winning government contracts law firm. “There were two significant problems with SAM.gov this morning,” Graves explained. “First, it sent automated emails to registered organizations that said kamiya@n-messcud.jp had updated the SAM.gov registry information for {{LBN}}. Then, the site was unavailable. Although general access to the site has been restored, a number of organizations are reporting that they still cannot access their records.”
Immediately upon discovering the event, people naturally speculated that a breach had occurred. The General Services Administration (GSA), which administers SAM, denied allegations of hacking. “This does NOT appear to be a scam, phishing, hack, malicious behavior or security breach,” the agency said in a tweet. “Entity Administrators should ignore these emails generated by SAM.gov in error. Investigations continue but we believe this was related to a software issue.”
A GSA spokesperson told Nextgov that an internal review was ongoing and attributed the email glitch and website outage to “unrelated issues.”
But experts such as Graves aren’t necessarily buying it. “Many people immediately speculated that SAM.gov was experiencing a data breach.,” Graves said. “This is reasonable speculation; just days earlier, Federal News Network published a story highlighting GSA’s security misrepresentations. In 2018, FedScoop published an article claiming a 2018 data breach of the SAM.gov site. And of course, SAM.gov continues to have issues around the UEI transition.”
Graves also stated that the GSA’s credibility in denying cybersecurity deficiencies and sabotage attempts has been dubious historically: “The government often takes a skeptical view of cybersecurity victim statements, going so far as to attempt to pierce attorney client privilege on mere supposition of third party misconduct. Given the significant impact on government contractors of a SAM.gov data breach and GSA’s lack of adequate implementation to date, no one should take GSA’s statements at face value. The government owes what it demands of the private sector: transparency and accountability.”
Government Systems Have Been Compromised Before
Graves makes a compelling argument. In 2018, SAM was hacked. “Because of a recent cyber attack on the System for Award Management, the Federal Service Desk is requiring new contractors to submit a signed notarized letter in order to be registered,” an article in SmallGovCon revealed at the time. “Later this month, existing registrants seeking to update or renew profiles will have to do the same. This move comes after the General Services Administration acknowledged on March 22 that the inspector general is looking into a hack of the SAM.gov database, in which the hackers changed the banking information for “a limited number” of contractors.”
And to Graves’ point, the GSA stayed ambiguous and reticent on the subject. Also from SmallGovCon in its 2018 reporting: “The GSA has released scant details regarding the hack except to say that it affected only a limited number of registrants and that GSA has ‘notified the affected entities.’ The perpetrators apparently changed the bank account information for Electronic Fund Transfer (EFT) in an unspecified number of entities. Although GSA has not confirmed the electronic theft of any contracting dollars, presumably the hackers at least tried to get the federal government to pay them for contracted work.”
Of course, the 2018 attack isn’t an isolated event. Back in 2015, the Office of Personnel Management (OPM) announced that it had been the target of a data breach targeting over 22 million personnel records. It was notably one of the largest breaches of government data in U.S. history. The information obtained and exfiltrated in the breach included personally identifiable information such as Social Security numbers, along with dates, places of birth, and addresses. Hackers working on behalf of and sponsored by the Chinese government carried out the attack.
Even if we allow that the GSA is correct and the issues were not caused by a cyber attack, they still highlight the persistence of security flaws.
“Specifically,” Graves wrote, “multiple inadvertent behaviors within hours of each other raises questions about the adequacy of controls and software development within the system. This is on the heels of President Biden’s National Cybersecurity Strategy. A central tenet of the strategy is to shift liability for software defects onto developers to ‘promote secure development practices’ and ensure that ‘Federal grant programs promote investments in new infrastructure that are secure and resilient.’”
How Federal Contractors Can Protect Their Data
If there’s a lesson to be learned here, it’s grounded in time-honored common sense, whether you’re a government agency, a small business, or an individual: be cautious and attentive. Never blindly trust the integrity of a system simply because it’s being administered by an authoritative entity. Even when using official government websites, users should remain skeptical and wary of absolute security.
Information federal contractors disclose to obtain security clearance (which involve sensitive information about arrest records, family ties, foreign affiliations, financial data, and more.) can be stolen from the federal government, as happened in 2015. Here are some simple steps that contractors should take right now:
- Validate that all information in SAM is still accurate and present.
- Do not allow for password sharing or reuse within the organization.
- Work with your IT or cybersecurity teams to take additional safeguards when information submitted is public.
- Never assume that a site can’t be compromised and operate accordingly.
- Always assume that a site can experience an outage at any time.
Beyond that, here are six additional and general best practices that all organizations should follow to ensure the highest degree of security when entering public data into a website.
- Before entering any sensitive information, verify that the website has a secure connection. Look for a padlock icon in the address bar and make sure the URL begins with "https" rather than “http.”
- When entering personal information into a site, divulge only the minimum amount of data required by the form. Avoid providing unnecessary details such as your home address or phone number, unless absolutely necessary.
- Use strong, unique passwords but do not reuse them across multiple accounts. A strong password should be at least eight characters long and contain a mix of uppercase and lowercase letters, numbers, and symbols.
- Enable two-factor authentication, which provides an extra layer of security by requiring a code. It can be sent to your phone by text or email. If that sounds like too much hassle, get an authenticator app, such as those provided by Microsoft and Google, to automatically generate codes for specific sites.
- Use a reputable antivirus software and keep your online devices protected. Also make sure to update the software regularly.
- Be cautious of emails or messages that ask you to provide personal information, even if they appear to be from a legitimate source. Scammers may try to trick you into revealing your data by posing as a trustworthy organization or person. In the case of the SAM incident, many people realized that the name of the “official” was odd and unfamiliar, which caused them to research the issue. This level of awareness is key to preventing attackers from gaining access to your data.
Stay Aware and Safe
The reality is that all organizations need to implement secure software development practices and emphasize overarching policies on data ethics, as we have discussed in the past. Even the federal government can fall victim to digital predators who exploit cybersecurity vulnerabilities. And no matter how advanced security protocols become, hackers will likely become more advanced in their tactics too. The rule of thumb now and in the future is for users to remain ever-vigilant and hold themselves accountable for protecting crucial data rather than relying solely on site administrators to do it for them.