Watchdog warns FBI is sloppy on secure data storage and destruction

update The FBI has made serious slip-ups in how it processes and destroys electronic storage media seized as part of investigations, according to an audit by the Department of Justice Office of the Inspector General.

Drives containing national security data, Foreign Intelligence Surveillance Act information and documents classified as Secret were routinely unlabeled, opening the potential for it to be either lost or stolen, the report [PDF] addressed to FBI Director Christopher Wray states.

Ironically, this lack of identification might be considered a benefit, given the lax security at the FBI's facility used to destroy such media after they have been finished with.

The OIG report notes that it found boxes of hard drives and removable storage sitting open and unattended for "days or even weeks" because they were only sealed once the boxes were full. This potentially allows any of the 395 staff and contractors with access to the facility to have a rummage around.

To deal with this, the FBI is installing wire cages to lock away storage media. In December, the bureau said it would install a video surveillance system at the evidence destruction storage facility to tighten security. As of June this year, it was still processing the paperwork to do so.

The OIG also found that FBI agents aren't tracking hard drives and removable storage sent into the central office and the destruction facility. Typically, seized computers are tagged for tracking, but as a cost-saving measure, agents are advised to send in media storage devices containing national security information without the chassis. While there is a requirement to tag removable storage, there isn't the same requirement for internal hard drives.

"The lack of inventory controls over the FBI’s electronic storage media increases the FBI’s risks of having thumb drives, disk drives, and hard drives or solid-state drives lost or stolen after they have been extracted from the larger electronic component, such as a laptop or a server," the report states.

"Also, the FBI does not mark these electronic media to identify the level of classification of the information contained in the storage device. The lack of accountability over these media, as well as the lack of internal physical access control and adequate camera coverage at relevant areas at the Facility, unnecessarily places electronic storage media at risk of loss or theft without the possibility of detection."

• Seriously, what's with FBI, DEA vacuuming up people's money transfer records?
• Former FBI boss Comey used private email for official business – DoJ
• FBI, CISA remind US voters that DDoS attacks can't touch election systems
• Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil

The FBI has assured the regulator that it has the problem in hand and has drafted a Physical Control and Destruction of Classified and Sensitive Electronic Devices and Material Policy Directive, which will require data to be marked up and destroyed safely. The agency says this policy is in the final editing stage and will be issued as soon as possible.

The Register asked the FBI and OIG for comment and will update this piece as soon as information comes in. ®

Updated at 2100 UTC on August 26

An FBI spokesperson told The Register: "The FBI appreciates the Office of Inspector General's (OIG) review of the site and has completed security enhancements and procedural changes to mitigate the concerns identified."

The spokesperson added that every worker or contractor allowed into the facility has been security vetted, and the entire site is fenced off and has "positive perimeter access control" and intrusion detection systems.

An internal examination of records has "identified zero incidents of site compromise and zero incidents of access by uncleared/unauthorized personnel," we're told.