Secret Service phone security lapses put US officials at risk, watchdog says

The Secret Service failed to effectively secure and manage mobile devices used for official business, including during protective operations, creating risks that adversaries could intercept sensitive communications and use them to target U.S. leaders and other protectees, according to a watchdog report issued Thursday.

The Department of Homeland Security’s inspector general determined Secret Service employees routinely relied on personal phones for official work, including during domestic and overseas protective assignments, because government-issued devices lacked key tools needed to communicate with law enforcement, foreign partners and other officials.

Those personal devices were not managed or secured by the government, creating vulnerabilities that could expose operational details, employee information, contacts, location data, photos and other sensitive material, the report said.

Adversaries “could have intercepted and exploited Secret Service information, placing at risk our Nation’s leaders, other protectees, and employees — especially when unsecured devices were used overseas,” the inspector general wrote.

The audit grew out of broader reviews of the Secret Service following the July 13, 2024 attempted assassination of then-former President Donald Trump at a campaign rally in Butler, Pa. During those reviews, the watchdog said it learned that Secret Service personnel frequently used personal cellphones for official business, raising security and federal records concerns.

One episode described in the report connects the issue directly to the Butler security breakdown. Shortly before the attempted assassination, a Secret Service employee used a personal device to receive a picture message from local law enforcement of the would-be assassin because of reliability concerns with the employee’s government-issued phone. The employee told investigators that prior issues had prevented them from sending text messages with images using government equipment.

The watchdog also found that, after the attack, another employee had to take extra steps to email a photo of the would-be assassin to colleagues because a known issue prevented them from simply forwarding the image by text on a government-issued device.

The report points much of the blame at the Secret Service’s Office of the Chief Information Officer, which is responsible for setting mobile device security standards, managing government-issued devices and ensuring compliance with agency policies.

Secret Service employees told investigators that government-issued devices often lacked commercial messaging apps commonly used by foreign police, military officials, embassy drivers, State Department personnel and other partners overseas. Some also said they needed personal devices to access websites blocked on government phones, including sites used to research restaurants where a protectee was scheduled to dine.

Employees also cited reliability problems. According to the report, government-issued devices frequently disconnected from the Secret Service virtual private network, and about 12% of wireless help desk tickets involving mobile devices were related to VPN issues.

The watchdog found that the use of personal devices had become routine and expected during foreign assignments. Of 24 employees and supervisors interviewed about international travel reimbursement records, 23 said they relied on personal devices, with most saying they needed them during nearly every foreign assignment.

The inspector general also reviewed call and text records and found more than 15,000 instances in which employees sent or received calls from colleagues’ personal phones while working protective events. It found about 24,000 text messages between personal devices and government-issued phones, though its analysis did not include communications made solely between personal devices or through messaging apps.

The report also found that Secret Service mobile devices used overseas lacked required mobile threat defense software designed to provide real-time protection from malware, cyberattacks and other threats. The Secret Service did not begin installing that software on any government-issued mobile devices until August 2025, despite DHS policy requiring it for devices used outside the United States.

The watchdog also found that the Secret Service did not consistently wipe data from government phones after employees returned from international missions, even though agency policy required employees to wipe devices within 24 hours of returning to the United States. One employee told investigators their phone had never been wiped over the course of eight years and 20 international trips, including travel to high-risk countries. Another employee reported 15 trips over eight years and estimated their phone had been wiped only four times.

The Secret Service concurred with all five watchdog recommendations, including recommendations to improve its process for identifying mobile device needs, strengthen cybersecurity training, communicate that personal devices are not allowed for official business and update app vulnerability testing policies.