Secret Service under investigation over loss of sensitive files on Metro

The Secret Service is the target of an investigation into an "immense breach" involving the loss of two backup computer tapes left on a Washington, D.C., Metro train that contained sensitive personal information about all agency employees, contacts and overseas informants, according to multiple law enforcement and congressional sources.

The ongoing probe is one of 13 new investigations involving the Secret Service launched by the Department of Homeland Security Office of Inspector General (DHS-OIG) in recent months. The new investigations stem from information received during the course of DHS-OIG's ongoing 'Culture of Secret Service' probe, requested by the Senate Homeland Committee in the wake of the Cartagena, Colombia prostitution scandal in April. While these new investigations are ongoing, the Culture of the Secret Service report is expected to be released sometime in the spring.

The Secret Service acknowledged the incident surrounding the lost tapes, but downplayed the security risk.

Sources said the tapes were lost on the Red Line of the Metro in 2008 by a young, low-level associate of a private contracting company that had been hired to transport them from Secret Service's Investigative Resources Management division at the agency's headquarters in the Penn Quarter section of Washington, D.C., to a secure vault in Olney, Md., where government agencies store contingency plans, documents and other backup material. The employee had volunteered to deliver the tapes because he lived near the location of the vault, but got off at the Glenmont, Md., Metro stop without the tapes, according to sources.

Sources said the "personally identifiable information" -- or "PII," in government-speak -- on the tapes includes combinations of the following:  Social Security Numbers; home addresses; information about family members; phone numbers; dates of birth; medical information; bank account numbers; employment information; driver's license numbers; passport numbers; and any biometric information on file with the Secret Service.

More On This...

    Another source said the tapes also contained backup case file information from computers at Secret Service headquarters. The tapes contained a "mishmash of everything" from Secret Service computers because it was part of a now-outdated "disk shuffling" system used to transfer information between Secret Service computers and the off-site backup facility, according to two sources.

    In an email response to's request for comment, Secret Service spokesman Ed Donovan confirmed the incident, but said the information on the tapes was protected:

    "In February of 2008, a contract employee whose function was to maintain, secure and transport this type of information lost two 'back-up' tapes on the DC Metro while transporting them to an off-site facility. These back-up tapes were not marked or identified in any way and were protected by multiple layers of security. They could not be accessed without the proper equipment, applications and encoding."

    Two Secret Service sources with knowledge of the incident disagreed.

    "It was very basic encryption. Let's just say it wouldn't take a genius to crack it," one of the sources said.

    Congressional and law enforcement sources told that the Secret Service failed to comply with strict DHS-wide procedure for reporting and responding to privacy incidents where personally identifying information is lost, released or otherwise compromised.

    "They just covered it up so they wouldn't get in trouble, so they wouldn't be scrutinized for such a huge breach of security," one official said.

    "That's why OIG opened up a case on this matter -- and the other ones they've opened up are similar in that they show efforts on the part of Secret Service leadership to whitewash security breaches."

    Secret Service officials contacted Metro Transit Police and asked them to be on the lookout for the tapes, but no police report was filed, according to sources who said the severity of the breach was never made clear to either law enforcement or Secret Service staff whose identities could have been compromised.

    Multiple sources said Secret Service management did not follow legal requirements to properly report the loss or compromise of sensitive PII when the computer tapes were lost -- a charge the Secret Service denied.

    "The Metropolitan Transit Police were notified of the loss and assisted Secret Service agents searching for the lost tapes. All appropriate entities at DHS were notified, to include DHS-OIG, the Office of the CIO, the Security Operations Center, and the Privacy Office," said Donovan's statement. "The Secret Service complied with all guidelines related to loss of information. Subsequent to this incident the Secret Service instituted protocols to prevent this from happening again. To date there has been no reported fraud associated with the loss of these tapes."

    But four sources with knowledge of aspects of the investigation told that DHS-OIG opened the investigation into the missing tapes because Secret Service officials did not properly comply with reporting requirements.

    According to one source, Secret Service officials reported some non-critical personal data may have been compromised, but also said there was no need for further action or follow-up. Sources said no one informed agency employees or overseas contacts that their data and private personal information had been compromised.

    "USSS reached out to Metro police and asked if they had found the [tapes], which they hadn't. And then they didn't even file a police report," one source said. "They didn't report it to anyone, they didn't inform the people whose information had been lost -- they did nothing."

    Contact this reporter at