IG: FBI at risk of having sensitive devices lost, stolen

From unlabeled hard drives to a non-functioning security camera, the Justice Department’s watchdog is flagging urgent concerns about gaps in the FBI’s processes for destroying sensitive electronic devices.

In a management alert issued this week, the DoJ inspector general says the FBI is at risk of losing track of thumb drives, hard drives and other electronic media with potentially highly sensitive and even classified data. The alert draws attention to the FBI’s electronic disposal practices, which are overseen by the agency’s Asset Management Unit.

The IG identified multiple shortcomings at an FBI-controlled facility where employees destroy or “sanitize” electronic media. The report does not name the facility due to security concerns.

The report specifically raises concerns about the FBI’s practice of putting tracking labels on the frames of computers and servers, but not directly on internal hard drives, thumb drives and other electronic devices where sensitive data is stored.

“We believe that the FBI’s practice of not accounting for extracted internal hard drives, thumb drives, and other media devices is not consistent with FBI or DoJ policies to ensure accountability of media containing sensitive or classified information,” the IG wrote.

Issues at the disposal facility

At the unnamed facility, the IG found open pallet-sized boxes with unmarked electronic media mixed in with devices marked both “classified” and “secret.” A staff member with the FBI’s “Property Turn-In” (PTI) team told the IG that the loose media was “unsecured for extended periods, sometimes spanning days or even weeks because PTI would wrap the pallets and move them to the facility shelves only when the box reached full capacity.”

And while the facility shares offices with nearly 400 employees and contractors working on other FBI operations, the IG found that the PTI team did not adequately secure the disposal space.

“There is no physical barrier preventing FBI and non-FBI personnel and contractors from other facility operations from accessing PTI’s work area and the pallets of unsanitized assets in the facility shelving space,” the IG wrote.

The watchdog also found the unnamed facility’s classification accreditation had expired in March 2016. The FBI subsequently performed a site visit and issued a final accreditation in January 2025.

“The FBI stated that the lack of final accreditation was an administrative oversight and that enhancements had been completed in the interim,” the report stated. “However, the FBI could not provide evidence of when the required enhancements were completed.”

And while the FBI had plans to install a security camera at the facility, the IG found that as recently as this June, the agency hadn’t yet obtained the waiver necessary to operate the camera.

“We believe that the combination of the FBI’s lack of accountability of the electronic storage media, lack of internal physical access control, and lack of sufficient video surveillance compounds the risk of media, potentially with sensitive and classified information, being lost or stolen without detection,” the IG wrote. “We recommend that the FBI strengthen the controls and practices for the physical security of its electronic storage media at the facility to prevent loss or theft.”

While agencies like the FBI spend hundreds of millions of dollars per year on cybersecurity, the proper disposal of older media devices is often an unchecked gray area not covered by an agency’s cybersecurity program or typical cyber audit.

In an Aug. 6 response attached to the IG’s report, the FBI agreed with the watchdog’s recommendations. Officials said they were updating marking and accountability directives, while also installing “cages” in the unnamed facility to better protect the sensitive electronics.

The FBI also said it was working on “coordination of a waiver to permit specific video security system coverage of the ‘cages’ and other sensitive areas.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.