'Erased' personal data on agency tapes can be retrieved, company says

Personal and sensitive government data -- including employees' personal data -- on magnetic tapes that federal agencies erase and later sell can be retrieved using simple technology, according to an investigation conducted by a storage tape manufacturer. The findings contradict a report released by the Government Accountability Office last year that concluded such data was irretrievable. From March through August 2007, GAO investigated if data could be retrieved from used magnetic tapes that federal agencies sell to commercial tape companies in the United States. Magnetic tapes are widely used by federal agencies, particularly for backing up data stored on large systems in the event of a disaster or system failure. The sample of tapes that GAO obtained came from such agencies as the Federal Reserve Bank, the Air Force and the National Oceanic and Atmospheric Administration. According to its September 2007 report (GAO-07-1233R), GAO concluded it could not find "any comprehensible data on any of the tapes using standard commercially available equipment and data recovery techniques, specialized diagnostic equipment, custom programming or forensic analysis." Selling used magnetic tapes is not illegal, GAO pointed out, and if agencies follow guidelines set by the National Institute of Standards and Technology for erasing all data, the risk of theft is low. "Based on the limited scope of work we performed, we conclude that the selling of used magnetic tapes by the government represents a low security risk, especially if government agencies comply with NIST guidelines in sanitizing their tapes," GAO concluded. "Even if some data were recoverable from some tape formats that had been overwritten to preserve their servo tracks, the data may not be complete or even decipherable."

But representatives from Imation, a magnetic data storage tape manufacturer in Oakdale, Minn., reviewed the used tapes examined by GAO. Using a tape drive, a standard personal computer and standard programming language, Imation reported being able to access bank account numbers, employee information, travel expense reports, audit procedures and results, employee savings plan balances and international tax benefits documents.

The results prompted Congress last week to ask GAO to reopen its investigation into agencies selling used magnetic tapes.

"If federal agencies are selling used magnetic storage tapes on the open market with this level of recoverable sensitive data available to anyone with minimum technical skills or equipment, we should all be alarmed and demanding greater accountability from federal agencies engaged in such sales," wrote Rep. Betty McCollum, D-Minn., in a letter to GAO in which she asked that the investigation be reopened. "The result of the work conducted by Imation clearly challenges the earlier GAO conclusion that used tapes represent a low security risk.… The fact remains that substantial amounts of highly sensitive government and personal data of citizens may be circulating in the open market on 'recertified' used tapes."

McCollum has called for GAO to identify which federal agencies resell tapes and confirm that all sensitive information is properly erased. She also has asked GAO to find out the processes used to ensure that sensitive data is fully erased, the standards for certifying that tapes are erased and the systems in place to monitor the dispositions of tapes by agencies or contractors. She asked for recommendations on how to improve oversight of such dispositions.

GAO could not be reached for comment.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.