'Erased' personal data on agency tapes can be retrieved, company says

Personal and sensitive government data -- including employees' personal data -- on magnetic tapes that federal agencies erase and later sell can be retrieved using simple technology, according to an investigation conducted by a storage tape manufacturer. The findings contradict a report released by the Government Accountability Office last year that concluded such data was irretrievable. From March through August 2007, GAO investigated if data could be retrieved from used magnetic tapes that federal agencies sell to commercial tape companies in the United States. Magnetic tapes are widely used by federal agencies, particularly for backing up data stored on large systems in the event of a disaster or system failure. The sample of tapes that GAO obtained came from such agencies as the Federal Reserve Bank, the Air Force and the National Oceanic and Atmospheric Administration. According to its September 2007 report (GAO-07-1233R), GAO concluded it could not find "any comprehensible data on any of the tapes using standard commercially available equipment and data recovery techniques, specialized diagnostic equipment, custom programming or forensic analysis." Selling used magnetic tapes is not illegal, GAO pointed out, and if agencies follow guidelines set by the National Institute of Standards and Technology for erasing all data, the risk of theft is low. "Based on the limited scope of work we performed, we conclude that the selling of used magnetic tapes by the government represents a low security risk, especially if government agencies comply with NIST guidelines in sanitizing their tapes," GAO concluded. "Even if some data were recoverable from some tape formats that had been overwritten to preserve their servo tracks, the data may not be complete or even decipherable."

But representatives from Imation, a magnetic data storage tape manufacturer in Oakdale, Minn., reviewed the used tapes examined by GAO. Using a tape drive, a standard personal computer and standard programming language, Imation reported being able to access bank account numbers, employee information, travel expense reports, audit procedures and results, employee savings plan balances and international tax benefits documents.

The results prompted Congress last week to ask GAO to reopen its investigation into agencies selling used magnetic tapes.

"If federal agencies are selling used magnetic storage tapes on the open market with this level of recoverable sensitive data available to anyone with minimum technical skills or equipment, we should all be alarmed and demanding greater accountability from federal agencies engaged in such sales," wrote Rep. Betty McCollum, D-Minn., in a letter to GAO in which she asked that the investigation be reopened. "The result of the work conducted by Imation clearly challenges the earlier GAO conclusion that used tapes represent a low security risk.… The fact remains that substantial amounts of highly sensitive government and personal data of citizens may be circulating in the open market on 'recertified' used tapes."

McCollum has called for GAO to identify which federal agencies resell tapes and confirm that all sensitive information is properly erased. She also has asked GAO to find out the processes used to ensure that sensitive data is fully erased, the standards for certifying that tapes are erased and the systems in place to monitor the dispositions of tapes by agencies or contractors. She asked for recommendations on how to improve oversight of such dispositions.

GAO could not be reached for comment.