Sensitive Secret Service Data at Risk of Unauthorized Access and Disclosure
“Today, the Department of Homeland Security Office of Inspector General (OIG) released a new report containing troubling findings regarding IT management
at the Secret Service. The audit report, USSS Faces Challenges Protecting Sensitive Case Management Systems and Data (OIG-17-01), is a follow-up to the OIG’s prior independent investigation into Secret Service employees’ improper access and disclosure of information about Congressman Jason Chaffetz contained in a Secret Service database.
In the prior investigation, the DHS OIG found that on approximately 60 different occasions, 45 Secret Service employees accessed database information about Representative Chaffetz, Chairman of the House Committee on Oversight and Government Reform, related to his job application from 2003. The vast majority of the 45 employees who accessed the information did so in violation of the Privacy Act, as well as Secret Service and DHS policy. This episode prompted the DHS OIG to audit the effectiveness of the protections in place on Secret Service IT systems.
The resulting audit uncovers a myriad of problems with Secret Service’s IT management including inadequate system security plans, systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections, and overretention of records. The OIG concluded that Secret Service’s IT management was ineffective because Secret Service has historically not given it priority. The Secret Service CIO’s Office lacked authority, inadequate attention was given to updating IT policies, and Secret Service personnel were not given adequate training regarding IT security and privacy. The Office of Inspector General made 11 recommendations and Secret Service agreed to take the recommended corrective actions.
“Today’s report reveals unacceptable vulnerabilities in Secret Service’s systems,” said Inspector General John Roth. “While Secret Service initiated IT improvements late last year, until those changes are fully made and today’s recommendations implemented, the potential for another incident like that involving Chairman Chaffetz’ personal information remains.” “