The Government Printing Office, criticized for lax security on passports, can't locate at least 88 laptops issued to employees, some of whom had access to sensitive information about the e-Passport that is a crown jewel of America's border security.
The federal printing agency's internal watchdog says the lion's share of missing laptops involved the agency's Information and Technology Services division and that some of the losses may have exposed sensitive information about the vulnerability of the e-Passport supply chain.
"The failure to adequately account for laptops may have resulted in the inadvertent exposure of sensitive GPO business information about acquisitions and human capital, as well as the manufacture and issuance of security documents such as U.S. passports," the inspector general reported.
The passports store biometric information on tiny computer chips designed to validate the true identity of passport holders, and then transmit the data to U.S. officials at customs checkpoints using a tiny radio antenna. Even the photograph is digitized. The aim is to prevent tampering or unauthorized reading of the data
But GPO's supply chain for the e-Passport that controls access at U.S. ports of entry has been a cause of concern for years.
The wordCenter for Public Integrity and ABC News reported in a joint investigation this summer that GPO had weak security policies intended to protect e-Passport components manufactured or assembled overseas. Those policies allowed some components to be made in Thailand -- despite repeated warnings of the nation's instability and proximity to terrorists.
Security specialists -- including some within the GPO -- worry that if criminals or terrorists gain access to e-Passport components, they could clone a passport and foil the electronic security system.
GPO told the Center this summer that it had planned to move all of the Thailand component production to a plant in Minnesota by this August.
GPO spokesman Gary Somerset said Tuesday the agency completed the transition to Minnesota in mid-September, and the agency was taking steps to address the concerns about the laptops.
"GPO has a process of turning in used laptops to the agency's IT department to have the hard drives erased or destroyed. However, the IG report noted the agency needs a better inventory control system once a laptop has been re-issued or destroyed. GPO is working on procedures to implement such a system," he said.
"Also, there is no evidence to indicate any sensitive information has been compromised," he added.
Agency managers were quoted in the inspector general report as saying they agreed with the findings and "planned corrective actions that we consider responsive to the recommendations."
GPO Missing Laptop Investigation Began In 2008
The GPO inspector general said it began investigating the issue in 2008 after receiving a report that 20 laptops were missing or stolen from a storage area.
The watchdog sampled about half of the agency-owned laptop supply. It found 88 of the sample of 304 could not be accounted for. It estimated that altogether between 150 and 213 laptops were likely missing out of a total supply of 629 issued to employees between 2005 and 2009.
Of particular concern, 68 of the missing laptops were issued before GPO began encrypting data on the laptops and as many as 28 of the lost laptops belonged to GPO employees with access to sensitive information.
Among them were two former Security and Intelligent Documents Unit employees, including the former Product Security Manager, "who performed risk assessments of e-passport supply chain vendors and suppliers," the inspector general reported.
Agency officials said they had a record of wiping the data clean on one of those laptops but still couldn't find the computer. Somerset said late Tuesday that the missing computer was finally located. "Upon further investigation, this laptop in question is currently within GPO's possession and we have verified the memory has been wiped clean," he said.
"With as many as 213 laptops projected missing, GPO risked exposing sensitive information," the inspector general warned.
John Solomon is executive editor of the Center for Public Integrity, a nonprofit, nonpartisan investigative reporting outlet in Washington, D.C.