The Federal Bureau of Investigation fails to properly label, store, and secure decommissioned electronic storage media containing sensitive information, a new report from the Department of Justice’s Office of the Inspector General (OIG) shows.
During a contract audit, OIG discovered weaknesses in the physical security of these items at an FBI-controlled facility where the media was being destroyed, such as the fact that these devices were stored for a long time on pallets but were not properly guarded.
These devices, including internal hard drives and thumb drives, contained sensitive but unclassified law enforcement information and classified national security information (NSI), the OIG report (PDF) shows.
Despite that, the FBI could not always account for these devices. Internal hard drives, even those removed from Top Secret computers, were not properly tracked and the agency could not confirm that they were properly destroyed.
“We believe that the FBI’s practice of not accounting for extracted internal hard drives, thumb drives, and other media devices is not consistent with FBI or DOJ policies to ensure accountability of media containing sensitive or classified information,” the OIG points out.
According to the report, although computers and servers had proper classification labels, these were not put on the internal electronic storage media extracted from them. Small flash drives were not labeled either and their classification could not be identified.
“When extracting internal electronic media for disposal, these internal media become stand-alone assets without any label to identify the level of classification of information they contained or processed,” the OIG says.
The audit also discovered that, at the facility where they were meant to be destroyed, extracted internal hard drives marked non-accountable were stored for close to two years on a pallet with torn wrapping, thus being exposed to almost 400 individuals who had access to the facility as of May 2024.
“The facility is shared with other FBI operations, such as logistics, mail, and information technology equipment fulfillment. Based on an access list the FBI provided in May 2024, there were 395 persons with active access to the Facility, which included 28 task force officers and 63 contractors from at least 17 companies,” the OIG says.
The report also shows that the FBI supervisor and contractor confirmed that, because the devices were not accounted for or tracked, they would not know if any hard drives would be taken from the pallets.
The OIG recommends that the FBI revises its procedures to ensure that storage media devices slated for destruction are properly accounted for, tracked, sanitized, and destroyed, that it implements controls to ensure that electronic storage media is labeled with the appropriate classification, and that it improves the physical security of these devices at the destruction facility, to prevent their loss or theft.
“The lack of inventory controls over the FBI’s electronic storage media increases the FBI’s risks of having thumb drives, disk drives, and hard drives or solid-state drives lost or stolen after they have been extracted from the larger electronic component, such as a laptop or a server,” the OIG notes.
Related: Pentagon Leaker Jack Teixeira to Face Military Court-Martial, Air Force Says
Related: Decommissioned Medical Infusion Pumps Expose Wi-Fi Configuration Data
Related: FBI Warns of Fraudulent Crypto Investment Applications
Related: Watchdog Finds New Problems With FBI Wiretap Applications
