An inspector general audit revealed a number of incidents in which the General Services Administration failed to respond promptly and appropriately to data breaches. In one case, GSA took more than 800 days to notify a handful of people that it had accidentally exposed their personal information. In another, the agency took six months just to determine that a data breach had occurred, and another two months for the people affected to be notified.
The focus of the report is the GSA’s response to a September 2015 breach in which an unencrypted file with personal information about roughly 8,200 people was shared with an external auditor.
The agency first failed to notify any of these people before its 30-day deadline following notification of DHS. In January 2017, it was discovered that 26 victims still had not been notified. Contact information for 20 of them was found, but not used until December 2017. No contact information was found for the final six.
