Information technology shortcomings within the Secret Service mean the potential still exists for employees to improperly access the agency’s restricted database, as agents did last year when they leaked unflattering information about House Oversight Chairman Jason Chaffetz, according to a new inspector general’s report.
The Department of Homeland Security Inspector General has found that even after last year’s embarrassing incident, the Secret Service still does not have adequate controls in place to protect sensitive information it stores in its databases.
“Today’s report reveals unacceptable vulnerabilities in Secret Service’s systems,” said Inspector General John Roth. “While Secret Service initiated IT improvements late last year, until those changes are fully made and today’s recommendations implemented, the potential for another incident like that involving Chairman Chaffetz’ personal information remains.”
The problems came to light last year after it was leaked to the press that Mr. Chaffetz had applied to the Secret Service in 2003 but was never called in for an interview.
Agents queried a Secret Service file on Mr. Chaffetz, discovering his prior application, as the Republican congressmen led a series of inquiries into a string of scandals that involved the Secret Service. An previous investigation into the eventual leak of the information by the DHS inspector general found that 45 Secret Service agents accessed the Chaffetz file 60 times, potential criminal violations of the U.S. Privacy Act.
Some took screenshots of the information in the database and forwarded them to others. Eighteen supervisors, including Assistant Director Edward Lowery who suggested leaking the information, knew that the file was being circulated widely around the agency.
The inspector general’s followup investigation, released Friday, found that while the Secret Service has taken some steps since then to improve security of its internal systems, that the agency “has no reasonable assurance that its information systems are properly secured to protect Law Enforcement Sensitive case management information.”
“USSS systems and data remain vulnerable to unauthorized access and disclosure,” the report concludes.
The report indicates that the Secret Service has not prioritized information technology management as a priority, resulting in “a myriad of problems” including inadequate access and audit controls, privacy protections, and system security plans. Before the agency overhauled its Master Central Index, which served as a case management tool for querying information on individuals, the Secret Service found that 5,414 employees had access to the data and that once a user was granted access, the person had access to all information in the system whether or not it was necessary for their job.
Secret Service spokeswoman Cathy Milhoan said the agency has made “tremendous progress” improving its IT systems since the Chaffetz incident.
“We are confident that out systems are secure and we’ve been extremely effective in doing that,” she said.
Mr. Chaffetz on Friday asked the inspector general to more broadly investigate agents’ access of personal information to determine whether there was systematic mishandling of this type of information. He also suggested that the Secret Service’s “cyber-related responsibilities” be moved outside the agency for the time being.
“The Secret Service believes they have a core mission to protect the nation’s financial infrastructure from cyber related crimes, yet can’t keep their own systems secure,” Mr. Chaffetz said in a statement issued Friday. “The loss or theft of law enforcement sensitive information is disastrous and jeopardizes witnesses involved in criminal cases or the identities of undercover officers, or worse,.”
In a letter sent to Mr. Roth, the congressman also raised concern about what he described as a lack of adequate discipline of those who accessed and shared his own personal information.
The inspector general’s report made 11 recommendations for improvement, which the Secret Service and DHS Privacy Office agreed with. They include annual privacy and security awareness training for staff, appointment of a privacy officer, and plans to ensure that employees and contractors be required to use Personal Identity Verification cards in order to access data on Secret Service networks and systems. About 3 percent of “privileged” and 99 percent of non-privileged users were not using cards in order to access data.
By not requiring the cards to be used in order to access internal databases, the Secret Service was “hindered in
its ability to limit system and data access to only authorized users with a legitimate need,” the report states.
Ms. Milhoan said the agency began requiring mandatory usage of PIV cards since June 2016.
• Andrea Noble can be reached at anoble@washingtontimes.com.
Please read our comment policy before commenting.