Auditors Report FBI Fails in Tracking Lost Laptops

An anonymous reader writes "The Department of Justice's Office of Inspector General is reporting that the FBI has lackluster performance when it comes to tracking data lost on missing laptops. In a recent 44-month audit (ending in Sept. 2005), the FBI reported 160 lost or stolen machines. Of those, ten were confirmed to have sensitive info. A startling 51 of these machines had unknown information — in other words the FBI never knew what they lost. Some of these machines likely contained some of the most sensitive security information the FBI has, as there were several in the bunch that belonged to members of the Counterintelligence and Counterterrorism Divisions. But the FBI was never able to properly respond to these losses because someone didn't fill out the right paperwork. The OIG has a copy of the audit (pdf) for public consumption."

Lost Stolen

[fluffy99]

Unlike most, I at least skimmed through the IG report. Only a handful of those laptops were confirmed as stolen, the rest are simply lost. In my experience, lost usually means: another agency or department has it and the agency that originally procured it lost track of it; it was an ancient laptop and its in the bottom of a closet somewhere; or it was scrubbed and disposed of without the proper paperwork being done. Thefts do happen, but it's just a likely that the employee took it home and his kid is playing pac-man on it.

Computrace

[PoitNarf]

Sounds like the FBI needs to invest in tracking software such as Computrace: http://www.absolute.com/

We use this software at my job and have used it to successfully track and recover stolen laptops several times already. Many laptops from manufacturers such as Lenovo, Dell, Gateway and several others actually can store the tracking agent within the BIOS itself so that it cannot be removed (unless you change out the motherboard). If a new hard drive is installed into the laptop, the agent will reinstall itself onto the hard drive from the BIOS. It also has the ability to wipe the hard drive clean remotely if the laptop is found to be stolen.

Re:Alright....

[B'Trey]

160 over three and a half years? Out of some 21,000? Doesn't seem overly excessive to me.

The article also fails to differentiate between NIPR (unclassified) and SIPR (classified) laptops. Regardless of your clearance, it's illegal to put classified information on a non-classified laptop. And classified laptops can not generally be taken home unless you have a certified storage location (a safe.) If they're not locked up, they should be in your direct possession at all times. If a significant number of classified laptops are missing, then it's a serious issue both in terms of the potential damage and in terms of users violating security procedures.

Non-classified laptops missing can be serious as well, particularly in terms of individual personal data being compromised and leading to identity theft or credit fraud. But the loss of sensitive-but-unclassified info is not nearly as serious in terms of the big picture as loss of classified data.