The FBI’s poor handling of electronic storage media bound for destruction opens the possibility that sensitive data and national security information they contain can be stolen or lost, according to the results of a contract audit that ran from late last year and into early 2024.

The federal law enforcement agency isn’t properly securing classified national security information (NSI) or sensitive but unclassified (SBU) information, can’t always account for loose storage media like hard drives, server drives, thumb drives, and floppy disks, and doesn’t always include property labels on them, according to the Justice Department’s (DOJ) Office of the Inspector General (OIG), which released the audit results this week.

There also were problems regarding the physical security of the items at an FBI-controlled facility, where they were to be destroyed.

“The lack of accountability of this electronic storage media is compounded by inadequate internal physical access and security controls at the Facility, potentially placing these media at risk of loss or theft without the possibility of detection,” the OIG wrote in the report, adding that the poor practices highlighted don’t comply with FBI or DOJ policies.

Meant for Destruction

Systems that are slated for destruction – which include desktops, laptops, servers, CDs, DVDs, smartphones, hard drives, and USB drives – coming in from FBI headquarters and other offices around the Capitol and 36 field offices across the country and Puerto Rico are sent to a central location operated by the FBI’s Asset Management Unit (AMU). Other field offices that don’t use the AMU’s services can use other vendors. Because of the sensitive information in the devices, all memory components are treated as thought they contain SBU or classified NSI.

The AMU sanitizes and destroys electronic media based on priority, with some that contain top secret information or are special cases being destroyed immediately, followed by others laptops, printers, fax machines, and other devices, and then answering machines, shredders, and other bulky items.

The electronic media in all the systems are sanitized using a degausser, shredder, and disintegrator. They’re then storage in large pallet-size boxes and when a box is full, it’s shipped to be recycled, smelted, incinerator, or reused.

No Tracking Labels

The FBI puts property asset tracking labels on the chassis of computers and servers, but not on internal storage media, which contains the data, which means if they’re extracted from the systems before the FBI sends them in, they’re standalone items and can’t be tracked.

“Further, when extracting internal electronic media for disposal, we found that the FBI does not mark the media to identify the level of classification of the information contained on the storage device,” the OIG wrote. “Additionally, we found that the FBI does not label small media flash drives to identify its classification. These practices are not in accordance with FBI and DOJ policies.”

Inadequate Security

There also are problems at the facility where the devices are destroyed. In particular, the internal physical security of the electronic media in the facility itself was insufficient. A visit to the site in October 2023, the inspectors found an open pallet-size box of hard drives and solid-state drives marked “non-accountable” and some of the drives without labels or markings and others marked “unclassified” and “secret.” They were told by a worker that the pallets for loose media was unsecured for extended periods of time that could span days or weeks. They would be wrapped and moved to the shelves in the facility only when the box was filled to capacity.

Another container was labeled “January 2022” and identified the contents as “non-accountable.” The shrink wrap around the box was torn and boxes inside were open and contained hard drives marked “secret.” Boxes marked “non-accountable” are shelved for long periods of time, with some on the shelves having sat there for as long as 21 months.

The facility also used by other FBI operations, including logistics, mail, and IT equipment fulfilment. The inspectors wrote that, based on an access list from the FBI in May, 395 people had access to the facility, including 28 task force officers and 63 contractors from at least 17 companies.

“There is no physical barrier preventing FBI and non-FBI personnel and contractors from other Facility operations from accessing PTI’s [AMU’s Property Turn-in Team] work area and the pallets of unsanitized assets in the Facility shelving space,” they wrote. “Although there is a metal roll-up door to the MDT’s [AMU’s Media Destruction Team] work area, the FBI supervisor and MDT contractor did not explain why they do not lower the closure to secure the space at the end of the day to prevent non-AMU personnel access to the media sanitization and destruction areas.”

Cameras Not Working

Adding to the problems was a non-functioning camera and the lack of camera coverage in other areas, further hindering the FBI’s ability to monitor and address any security incidents or inventory discrepancies.

The OGI recommended the FBI revise its procedures to ensure all electronic storage media containing sensitive or classified data – including hard drives extracted from computers slated for destruction –are accounted for, tracked, timely sanitized, and destroyed. The storage media also should be marked with the appropriate NSI classification level and the facility itself hardened to prevent theft or loss.