The FBI is in some trouble with the DOJ after a recent audit of its data handling practices, and the incident serves as an example of how unclear or conflicting policies can trip up larger organizations and create serious security holes. In this case, storage media slated for destruction ended up exposed to outside contractors due to oversights in a labeling system.
The Office of the Inspector General (OIG) has put the FBI on notice after inspecting a central facility used to process internal equipment slated for destruction and finding that storage media containing sensitive and classified information was left sitting on pallets in an open area for as long as two years at a time. The central issue seems to be a well-meaning policy meant to clear bulky items out of storage first and reduce shipping costs, but one that failed to adequately cover the labeling and handling of hard drives and portable media.
Labeling system failure led to storage media exposure
The FBI’s data handling problem seems to have started with a simple logistics policy: prioritize destruction of big and bulky items, like desktop computer sets and other sizable hardware, so as to reduce the ongoing need for storage space. Computers with sensitive information were labeled appropriately: “NSI” for those containing classified national security information or “SBU” for those with sensitive but unclassified information.
The hangup came from a conflicting policy also centered on reducing waste and saving money: hard drives and other storage media were to be removed from these computers first, and shipped to the same facility through a separate government courier system. While FBI agents did in many cases attach a numerical label to these drives that tied them to their computer of origin, they were not independently labeled with NSI or SBU tags and the facility apparently did not check them against their source for potential data handling risks.
Instead, all storage media went to the bottom of the priority list for destruction. Not only were they the last items to go, they were also tossed into very large boxes on pallets that had to be filled to the top before they were moved out for assumed compacting. The end result was pallets full of drives containing NSI and SBU material that could sit in a warehouse for as long as two years at a time.
The facility, not named for security reasons, is controlled by the FBI and limits outside access to a total of 395 people. 63 of these are contractors from a total of 17 private companies, however, and it appears some did directly participate in the storage media sanitization and destruction process.
FBI pledges to improve data handling after audit
The data handling snafu includes storage media removed from computers labeled as “Top Secret.” It is unclear who, if anyone, might have accessed the bins as both an FBI supervisor and a facility contractor confirmed that the agency essentially stopped tracking access once the drives were placed in them.
The area the bins are kept in did have a surveillance camera monitoring the entry and exit point, but apparently not a functioning one. The facility began installation of cameras in late 2023 but was unable to complete the project for some reason, leaving them still non-functional as of the inspection in May 2024.
While there is no specific indication of illicit access, the potential is more than a little concerning. The facility reportedly handled storage media sent from the FBI national headquarters as well as 36 regional field offices.
The FBI pledged to make changes in response to the audit, overhauling its data handling policy and improving physical security at the location (including locked cages that will now enclose the bins). But an even simpler safeguard could have mitigated the risk of leaving all of this storage media exposed: a thorough encryption-at-rest policy, bolstered by strong MFA requirements to access anything potentially sensitive.