The tool called Yammer allows users to create social networks inside companies and organizations where employees can exchange messages, files, documents, videos and other data. Senior officials had endorsed the use of Yammer without prior authorization or approval from the Office of Public and Intergovernmental Affairs, which is required by agency rules, according to The Wall Street Journal.
The underlying issue is the VA was using a free version of the tool when they could have upgraded to a version offering more control over communications, according to the report.
The audit found more than 25,000 agency email addresses were registered as active users on Yammer, according to WSJ. Use of Yammer lacked administrative oversight, and users “downloaded and shared files, videos and images, risking malware or viruses spreading quickly from the site,” the audit reads.
The audit also found at least one instance where an IP address, which is considered sensitive data, may have been shared on the social network.
Additionally, users were using the social network for non-related communications, including complimenting an employee’s wardrobe choice, which the audit report found “unprofessional, or had disparaging content that reflected a broad misuse of time and resources,” according to WSJ, which quoted the audit report.
A spokesperson with the VA told WSJ the agency is reviewing the situation. “While making available tools to allow employees to engage, remain connected and share ideas, we must also consider the appropriate use of employee time, stewardship of taxpayer resources and protection of sensitive information.”
More articles on data breaches:
Lawrence General Hospital reports data breach due to missing thumb drive
3rd lawsuit filed against MIE after data hack: 5 things to know
UCLA Health System faces another lawsuit for data breach affecting 4.5M patients
