Contact The Editor
Articles By This Author
Government officials under Joe Biden improperly shared sensitive documents with thousands of federal workers, including floor plans of the White House, according to internal records reviewed by The Washington Post.
Career employees at the General Services Administration, which provides administrative and technological support for much of the federal bureaucracy and manages the government's real estate portfolio, were responsible for the oversharing, which spurred a cybersecurity incident report and investigation last week. The records show that the employees inadvertently shared a Google Drive folder containing the sensitive documents with the entire GSA staff, which totals more than 11,200 people, according to the agency's online directory.
The information shared also included the details of a proposed blast door for the White House visitor center, the records show, as well as bank account information for a vendor who assisted with a Biden administration news conference.
The Google Drive oversharing, which began during the Biden administration but persisted through the Trump administration until last week, follows several recent security lapses. Last month, top officials inadvertently included the editor in chief of the Atlantic magazine in an unclassified chat used to discuss highly sensitive military planning, and Trump's national security adviser and his staff used personal Gmail accounts for government communications, which experts described as insufficiently secure, The Post reported.
The oversharing, which continued over at least four years, also suggests a pattern of sloppy handling of sensitive information that spans both the Trump and Biden administrations. A special counsel report last year found that Biden carelessly kept classified documents and notebooks at his home.
The records reviewed by The Post did not specify whether the East and West Wing plans, the blast door details, or the banking information were classified. Nine of the 15 files shared in the Google Drive folder were marked CUI for "controlled unclassified information," which refers to "sensitive information that does not meet the criteria for classification but must still be protected," according to government protocols. At least 10 of the shared files allowed GSA employees to not only view but also edit the content, the records show.
The file sharing dates at least to early 2021, at the start of the Biden presidency, and the files remained accessible into the Trump administration.
The White House did not immediately respond to a request for comment Sunday. Nor did a representative for Biden.
GSA spokesman Jeff White said in a statement Monday that none of the files shared contained classified information. He said GSA officials learned of the improper sharing on April 14 and took action to limit access by the next day.
White added that the agency uses software that regularly scans its Google Drives to detect files that are inappropriately shared and lock those down. GSA also holds yearly mandatory trainings for staff to teach them best practices for document sharing and privacy, he said.
The breach indicates a general need to strengthen safety training measures for government workers who must live and work in a digital age, said Michael Williams, a Syracuse University professor who studies international security and defense issues.
The documents "are absolutely not something you want shared to 11,200 people," Williams said. "The danger of this kind of mistake is a challenge across all administrations. It's not just particularly bad for the Trump administration."
One of the earliest improper shares took place in March 2021, when a GSA employee inadvertently shared all staff on a "safety environment management survey" for the East Wing of the White House, which included "blueprints" of the wing, the records show. The East Wing includes the White House visitors entrance as well as offices of the first lady.
The employee's error consisted of altering the share settings in Google Drive so anyone within GSA could find and edit the documents, the records show.
In December of that year, the same employee shared a similar report about the West Wing of the White House, which includes the Oval Office, Cabinet Room, Situation Room and the press briefing room. The employee also inadvertently shared a "design build" for blast doors to be installed at the White House Visitor Center, a block away from the White House itself.
Those files remained open to the entire agency for years, according to the records.
Detailed floor plans and layouts of the White House building are not classified information, said Steven Aftergood, a security policy analyst formerly with the Federation of American Scientists. Only plans revealing "undisclosed structures, passages or security measures" would be classified under an executive order issued in 2009 to protect national security information, he said. But it was still a bad idea to share the White House documents so widely, Aftergood said.
"Even if they were not formally classified," Aftergood said, "they would be closely held for obvious security reasons."
Other items shared in subsequent years include building details for a courthouse, the documents show, as well as two project manuals and drawings. Most of these files were marked CUI, the records show. There were three improper shares during the final year of the Biden administration, according to the records, as well as one share which is undated.
The GSA's Office of Inspector General learned of the inappropriate sharing last week during an ongoing security audit of the agency's use of Google Drive, according to the records.
During that audit, inspectors found that sensitive information appeared to have been "improperly" shared across the agency, the records show. Inspectors reported the issue Tuesday to the agency's incident response team, part of the IT staff that handles security breaches.
By Thursday, the IT team had identified the owners of the files and reversed the file-share, so the documents were no longer accessible to 11,000-plus employees, the records show.
The GSA IT team repeatedly attempted to contact the owner of the files but never received a response, the records show. The IT team's investigation into the incident continues, the records show.
(COMMENT, BELOW)