The Government Printing Office, criticized for lax security on passports, can’t locate at least 88 laptops issued to employees, some of whom had access to sensitive information about the e-Passport that is a crown jewel of America’s border security.
The federal printing agency’s internal watchdog says the lion’s share of missing laptops involved the agency’s Information Technology and Systems division, and that some of the losses may have exposed sensitive information about the vulnerability of the e-Passport supply chain.
“The failure to adequately account for laptops may have resulted in the inadvertent exposure of sensitive GPO business information about acquisitions and human capital, as well as the manufacture and issuance of security documents such as U.S. passports,” the inspector general concluded in a report obtained by the Center for Public Integrity.
The passports store biometric information on tiny computer chips designed to validate the true identity of passport holders, and then transmit the data to U.S. officials at customs checkpoints using a tiny radio antenna. Even the photograph is digitized. The aim is to prevent tampering or unauthorized reading of the data.
But GPO’s supply chain for the e-Passport, which controls access at U.S. ports of entry, has generated recent concern.
The Center for Public Integrity and ABC News reported in a joint investigation this summer that internal reviews had found that GPO had weak security policies intended to protect e-Passport components manufactured or assembled overseas. Those policies allowed some e-Passport components to be made in Thailand — despite repeated warnings of the nation’s instability and proximity to terrorists.
Security specialists – including some within the GPO – worry that if criminals or terrorists gain access to e-Passport components, they could clone a passport and foil the electronic security system.
GPO told the Center this summer that it had planned to move all of the Thailand component production to a plant in Minnesota by this August.
GPO spokesman Gary Somerset said Tuesday the agency completed the transition to Minnesota in mid-September, and the agency was taking steps to address the concerns about the laptops.
“GPO has a process of turning in used laptops to the agency’s IT department to have the hard drives erased or destroyed. However, the IG report noted the agency needs a better inventory control system once a laptop has been re-issued or destroyed. GPO is working on procedures to implement such a system,” he said.
“Also, there is no evidence to indicate any sensitive information has been compromised,” he added.
Agency managers were quoted in the inspector general report as saying they agreed with the findings and “planned corrective actions that we consider responsive to the recommendations.”
The GPO inspector general said it began investigating laptop security in 2008 after receiving a report that about 20 computers were missing or stolen from a storage area.
The watchdog sampled about half of the agency-owned laptop supply. It found 88 of the sample of 304 could not be accounted for. It estimated that altogether between 150 and 213 laptops were likely missing out of a total supply of 629 issued to employees between 2005 and 2009.
Of particular concern, 68 of the missing laptops were issued before GPO began encrypting data and as many as 28 of the lost laptops belong to GPO employees with access to sensitive information.
Among them were two former Security and Intelligent Documents Unit employees, including the former Product Security Manager “who performed risk assessments of e-passport supply chain vendors and suppliers,” the inspector general reported.
Agency officials said they had a record of wiping the data clean on one of those laptops but still couldn’t find the computer. Somerset said late Tuesday that missing computer was finally located. “Upon
further investigation, this laptop in question is currently within GPO’s possession and verified the memory has been wiped clean,” he said.
“With as many as 213 laptops projected missing, GPO risked exposing sensitive information,” the inspector general warned.
The watchdog blamed the agency for failing to follow basic common-sense procedures to manage laptop inventory and ensure sensitive information was protected.
“There was a lack of security and inventory controls [within GPO’s information technology division) as well as a general disregard for property management controls,” the inspector general said.