http://www.govexec.com/dailyfed/0108/012308j2.htm
By Jill R. Aitoro
Govexec.com
January 23, 2008
Personal and sensitive government data -- including employees' personal
data -- on magnetic tapes that federal agencies erase and later sell can
be retrieved using simple technology, according to an investigation
conducted by a storage tape manufacturer.
The findings contradict a report released by the Government
Accountability Office last year that concluded such data was
irretrievable.
From March through August 2007, GAO investigated if data could be
retrieved from used magnetic tapes that federal agencies sell to
commercial tape companies in the United States. Magnetic tapes are
widely used by federal agencies, particularly for backing up data stored
on large systems in the event of a disaster or system failure. The
sample of tapes that GAO obtained came from such agencies as the Federal
Reserve Bank, the Air Force and the National Oceanic and Atmospheric
Administration.
According to its September 2007 report (GAO-07-1233R) [1], GAO concluded
it could not find "any comprehensible data on any of the tapes using
standard commercially available equipment and data recovery techniques,
specialized diagnostic equipment, custom programming or forensic
analysis."
Selling used magnetic tapes is not illegal, GAO pointed out, and if
agencies follow guidelines set by the National Institute of Standards
and Technology for erasing all data, the risk of theft is low. "Based on
the limited scope of work we performed, we conclude that the selling of
used magnetic tapes by the government represents a low security risk,
especially if government agencies comply with NIST guidelines in
sanitizing their tapes," GAO concluded. "Even if some data were
recoverable from some tape formats that had been overwritten to preserve
their servo tracks, the data may not be complete or even decipherable."
But representatives from Imation, a magnetic data storage tape
manufacturer in Oakdale, Minn., reviewed the used tapes examined by GAO.
Using a tape drive, a standard personal computer and standard
programming language, Imation reported being able to access bank account
numbers, employee information, travel expense reports, audit procedures
and results, employee savings plan balances and international tax
benefits documents.
The results prompted Congress last week to ask GAO to reopen its
investigation into agencies selling used magnetic tapes.
"If federal agencies are selling used magnetic storage tapes on the open
market with this level of recoverable sensitive data available to anyone
with minimum technical skills or equipment, we should all be alarmed and
demanding greater accountability from federal agencies engaged in such
sales," wrote Rep. Betty McCollum, D-Minn., in a letter to GAO in which
she asked that the investigation be reopened. "The result of the work
conducted by Imation clearly challenges the earlier GAO conclusion that
used tapes represent a low security risk... The fact remains that
substantial amounts of highly sensitive government and personal data of
citizens may be circulating in the open market on 'recertified' used
tapes."
McCollum has called for GAO to identify which federal agencies resell
tapes and confirm that all sensitive information is properly erased. She
also has asked GAO to find out the processes used to ensure that
sensitive data is fully erased, the standards for certifying that tapes
are erased and the systems in place to monitor the dispositions of tapes
by agencies or contractors. She asked for recommendations on how to
improve oversight of such dispositions.
GAO could not be reached for comment.
[1] http://www.gao.gov/new.items/d071233r.pdf
Received on Thu Jan 24 00:34:39 2008