BPM
Search

Federal Audit Clearinghouse (FAC) Data Breach Update

08.18.15

Recently BPM and others have been alerted that the U.S. Census Bureau experienced an effective cyber-attack on one of its Information Technology (IT) databases used for accessing the Federal Audit Clearinghouse (FAC). This database is on an externally facing IT system that houses FAC information.

While the U.S. Census Bureau IT forensics investigation continues, they are assuring users that at this time every indication is that the breach was limited to this database, and that it did not include personally identifiable information provided by people responding to household or business censuses and surveys. Within 90 minutes of learning of the breach, the IT system was taken offline. It will remain offline until the U.S. Census Bureau has completed a thorough investigation and takes steps to ensure the system's integrity in the future.

The U.S. Census Bureau issued emails and letters to those who have worked with and had interactions with the FAC. Specifically, the issued letter is to make users aware that the following information was posted to the hacker(s) public website:

Data Respondents to Federal Audit Clearinghouse Database

Public Information

  • Your Name;
  • Address provided to the Federal Audit Clearinghouse database;
  • Email address provided to the Federal Audit Clearinghouse database; and
  • Telephone number provided to the Federal Audit Clearinghouse database

Image Management System Users

Public Information

  • Your Name;
  • Address provided to the Federal Audit Clearinghouse database;
  • Email address provided to the Federal Audit Clearinghouse database; and
  • Telephone number provided to the Federal Audit Clearinghouse database

Non-Public Information

  • Federal Audit Clearinghouse username;
  • Federal Audit Clearinghouse masked password; and
  • Response only to a security question for Image Management System password reset.

Currently the FAC website is down and not accepting any uploads or searches for Data Collection Forms. As the Data Collection Form is due the earlier of 9 months after an entity’s fiscal year ends or 30 days after the audit is issued some entities may be delinquent in the completion of the Data Collection Form. The site has been closed since the week of July 20, 2015.

Update

The FAC has now released information that any forms with a due date July 22 – September 30, 2015 will be extending to October 31, 2015.

Topic

Related People

Related Services