Ben Bain reports:
The National Archives and Records Administration violated its information security policies by returning failed hard drives from systems containing personally identifiable information of current government employees and military veterans back to vendors. By agency policy, NARA is supposed to destroy the hard drives rather than return them, according to a top NARA official.
However, the agency believes there was no disclosure of personally identifiable information despite the violations of its own policy, said NARA’s then-acting archivist Adrienne Thomas.
[…]
“NARA and the inspector general continue to review these incidents; however, at this time, there is no evidence that the defective disk drives were ever in unauthorized hands or that any PII was accessed from these disks and my staff and I have concluded that there was no PII breach,” she added.
However, Brachfeld wasn’t sure about the security of the hard drive from the veterans system or who had access to the data after it left NARA’s control and then passed between several companies.
Read more on FCW.