Disused hard drives potentially carrying sensitive unclassified information have been scattered in unsecure locations within the Oak Ridge National Laboratory, says a new Energy Department inspector general report.

The report, dated August 16 and based on work auditors conducted from January through April of this year, says the lab has lacked internal controls to track and control desktop hard drives. The Oak Ridge national lab is managed by UT-Battelle, a partnership between the University of Tennessee and the Battelle Memorial Institute.    

Computer security officers at Oak Ridge informed auditors they found hard drives in locations such as hallways, docks and unoccupied offices. Energy Department guidance requires that any storage device no longer in use that held sensitive unclassified information--including the personally identifiable information of other people--be encrypted, or tracked and controlled until purged or destroyed.

While Oak Ridge policy requires full disk encryption for laptop computers, the lab has yet to implement guidance for desktop hard drives used in sensitive unclassified systems, the report states.

When auditors asked computer security officers to identify how many hard drives they had in storage, one computer security officer estimated the number to be about 100. A look at the storage room--where hard drives were kept in cardboard boxes labeled "HARD DRIVES" in permanent marker--showed only 55 in computer security officer possession, however. Computer security officers ended up identifying about 1,500 recovered hard drives, which they later destroyed, the report states.

When auditors ran an forensic examination of one hard drive recovered from an unsecure area, they found it potentially contained sensitive information--namely the name, date of birth and medical information of an Oak Ridge employee. Auditors can't say for certain whether that data represents a potential a data breach, since the examination didn't determine who placed the data on the hard drive, the individual in question or another person. But the hard drive did contain that individual's salary information, which Oak Ridge does classify as sensitive unclassified information, the report adds.

Oak Ridge management told auditors that encryption and tracking of hard drives is not a requirement, a point auditors allow while pointing out that encryption and tracking of disused hard drives is a requirement. Management officials also said language about finding hard drives in occupied offices is misleading because those offices were locked, to which auditors respond that computer security officers have told them that only some of the offices were locked.

Nonetheless, UT-Battelle agreed with all inspector general recommendations, noting that even before issuance of the draft report, they created a Six Sigma team to address the disposition and disposal of hard drives.

For more:
- download the Energy Department inspector general report, INS-O-10-03 (.pdf)

Related Articles:
DOJ laptop caught with LimeWire installed
Data loss deja vu at the VA