The National Archives and Records Administration (NARA) has lost an external hard drive that contained copies of sensitive data belonging to the Clinton administration, the agency confirmed Wednesday.
The drive contains what is said to be a terabyte of data, including personally identifiable information of White House staff and visitors. NARA discovered that the hard drive was missing in early April 2009 and reported it to senior officials, including the inspector general (IG) of NARA, who started a criminal investigation into the breach, according to a statement sent from NARA to SCMagazineUS.com Wednesday.
The drive went missing sometime between October and March from the Archives facility in College Park, Md., the Associated Press reported, citing Reps. Edolphus Towns, D-N.Y., and Darrell Issa, R-Calif., who learned details of the breach from the NARA IG. The breach occurred when NARA was in the process of converting information from the Clinton administration to digital records. Before it went missing, the drive was placed on a shelf for an unspecified period of time in an area that could have been accessed by more than 100 individuals with official badge access and other visitors, janitors, interns and passers-by, the AP reported.
The NARA IG was not available Wednesday. A spokeswoman for the Archives said the agency could not provide any additional details or confirm those reported by the AP.
In a statement about the breach Towns said he is "deeply concerned about this serious security breach at the National Archives."
"Therefore, I will hold separate members' briefings on ongoing investigations into this matter with the National Archives inspector general and the FBI, so committee members can begin to understand the magnitude of the security breach and all of the steps being taken to recover the lost information," Towns said.
NARA is preparing to issue a breach notification to affected individuals. In addition, NARA immediately undertook a review of internal controls and has implemented improved security processes, the agency said in the statement to SCMagazineUS.com.
“There are several ways this incident could be avoided and the case of the missing hard drive would be irrelevant,” Nick Nikols, vice president of security at Novell told SCMagazieUS.com in an email Wednesday. “Obviously, you could put it in a drawer, lock it in a cabinet, or hire honest people that don't have shifty eyes, etc. However, the key to this incident is mainly negligence and a false sense of security, a scenario many companies and government organizations experience.”
From a technology perspective, there are a plethora of solutions to solve this issue but, there is no technology that solves pure complacency, Nikols added.
Phil Lieberman, founder and CEO of Lieberman Software told SCMagazineUS.com in an email Wednesday that it's hard to determine the extent of risk exposure associated with this breach with the limited details that are known but given that these are mostly public figures, the extent of “private” information contained on the disk is probably limited.