SALT LAKE CITY — Nearly 15,000 laptops used by U.S. Department of the Interior employees don't have proper safeguards to protect sensitive information from being hacked by a cyber criminal because of a management decision to depart from best practices.
A memo issued by Deputy Inspector General Mary L. Kendall and released Wednesday said the laptops — some likely in Utah — are at "high risk of compromise" should they be lost or stolen because the agency did not require pre-boot authentication.
In that process, a user is asked to provide a username and password prior to the computer's operating system and encryption key being loaded into memory.
By sidestepping this requirement, Kendall said not only are employees' personal information, such as usernames, passwords, Social Security numbers and other data, at risk, but the agency's entire network and systems are vulnerable to unauthorized access.
The agency has multiple bureaus that work with sensitive information, including the U.S. Geological Survey, the Bureau of Land Management and the Bureau of Reclamation, which oversees many dams in the West.
Kendall said that once inside the department's computer network, the cyberattacker could potentially disrupt bureau operations and steal sensitive information.
"Thus, the department's ineffective implementation of full disk encryption could not only result in the loss of sensitive data on a compromised laptop, but could also be used to breach bureau networks and systems, potentially resulting in severe adverse effects on department IT assets, operations and individuals," she wrote.
Kendall pointed to findings from a leading technology security firm that said lost or stolen mobile computing devices, including laptops, computers and smartphones, were the leading cause — 41 percent — of reported data breaches across the nation from 2005 to 2015.
Within the Interior Department itself, 35 percent of its computers are not properly configured to prevent against such vulnerability, and over the past three years, the agency has documented 64 incidents in which laptop drives were either lost or stolen — and those were computers without the pre-boot authentication feature, the memo said.
Kendall is recommending that the agency's chief information officer require the safety protocol and is asking for a response to the memo within 30 days on what actions have been taken.
Nancy DiPaolo, director of external affairs for the Office of the Inspector General, said another probe of the Interior Department's cyber vulnerability for handheld devices such as smartphones should be completed within the next few months.