The audit cites outdated access controls and poor privacy protections.
The Secret Service still isn’t adequately guarding its computer systems more than a year after agency employees leaked screenshots of a congressman’s job application they should not have had access to, according to an audit released Friday.
The audit by the Homeland Security Department's inspector general found incomplete and outdated security plans, insufficient privacy protections and outdated authorizations for Secret Service systems that house sensitive data.
Perhaps most significantly, the agency has not updated its policies for who can access what information since 2003, the report states, raising the likelihood that employees could access information not necessary for their jobs.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
House oversight Chairman and agency critic Rep. Jason Chaffetz, R-Utah, released a statement in response to the audit saying the agency should be stripped of its cybersecurity mission, which includes investigating financial cybercrimes.
“The loss or theft of law enforcement sensitive information is disastrous and jeopardizes witnesses involved in criminal cases or the identities of undercover officers, or worse,” Chaffetz said. “[The Secret Service’s] cyber-related responsibilities should be moved elsewhere. They lack the right personnel to do the job and senior leadership isn’t accountable.”
An earlier IG report found 45 Secret Service employees accessed an old job application from Chaffetz. Only four of those employees had legitimate reasons to access the file for their jobs, the report said.
The employees also shared screenshots that contained Chaffetz’s personal information, including his Social Security number, on an unclassified email system and the screenshot was leaked to the press. The employees were later disciplined.
The Secret Service updated its information systems shortly after that report, migrating the information from a mainframe system that dated back to the 1980s into five new systems in 2015. The agency did not sufficiently update access controls, however, according to the IG report.
“These problems occurred because [Secret Service] has not consistently made IT management a priority,” the audit states, citing limits on the agency chief information officer’s power, high turnover in the CIO’s office and inadequate employee security training.
The agency launched an effort to improve system security in late 2015, including bringing on a new CIO, Brig. Gen. Kevin Nally, and giving him full information technology spending authority. It’s not yet clear, however, if those changes will be effective, the audit states.
“The Secret Service appreciates the OIG’s audit and recognizes that continued improvements to our IT systems are needed and essential to the successful completion of our mission,” Secret Service Communications Director Cathy Milhoan said in a statement.
Updated Oct. 14 to include a statement from Rep. Chaffetz.