Right on the cusp of notable data breaches at government entities, the Office of Inspector General (OIG) was investigating use by the Department of Veteran Affairs (VA) of a supposedly closed and approved social network.
The VA “improperly” used Yammer, a “private social network,” according to the company's website. Plus, beyond its wrongful use, the OIG wrote that the service had “vulnerable security features,” which could have left the VA and its employees vulnerable to digital attackers.
VA employees didn't come to Yammer organically, instead, the OIG wrote, the agency's former CIO offered suggestions for using Yammer while still complying with agency directives, even though the social network likely wasn't supported by the broader federal government and regulations.
More specifically, VA policy requires any established VA social media account to have a legitimate business case, as well as “adequate resources” available to establish and maintain the site. Previously established websites must also be “kept up-to-date” and meet VA quality standards.
While Yammer's first VA network was created in 2008 by an IT project manager, the network was never approved or monitored; no terms of service were negotiated. The original VA user wasn't aware she was the first, as the site created a network around her @va.gov email domain. At that point, the OIG writes, the network “snowballed,” with many employees joining.
Any data posted on the social network is owned by the organization if it purchases a subscription, however, the VA never did, and often times, users shared seemingly sensitive data among one another. In one instance, a user shared the VA's IP addresses.
Furthermore, users weren't removed from the network after leaving the agency, and there was never a centralized administrator. The site also commonly malfunctioned and automatically spammed colleagues by asking them to join a user's network.
That was enough for the OIG to write “certain activities made VA vulnerable to malware or viruses, which could spread quickly on a social media site, because of a false sense of security that VA approved the use of Yammer.”
Overall, the VA is recommended to examine the social network and formally determine its approval, as well as to review officials' actions in misrepresenting Yammer as approved.