Secret Service put protectees, employees at risk with mobile device security blunders
The Secret Service has serious gaps in its mobile device management and security practices, leading to heightened risks for the nation’s leaders, other protectees and its employees, according to an inspector general report published Thursday.
The security and management gaps included a culture of using personal devices even in protective operations, a lack of security software on government-issued devices and the approval of apps containing vulnerabilities, among others.
Much of the blame, per the report, lies with the Department of Homeland Security unit’s Office of the CIO, which is responsible for establishing security standards and ensuring compliance with policies.
“Because OCIO’s process for identifying and implementing capabilities on [government-furnished equipment] mobile devices did not ensure that employees were prepared — and because the use of personal devices was normalized — there is a risk that OCIO may not properly identify and prioritize other operational needs,” the inspector general report said.
Employees pointed to issues with their government-issued devices as the reason for the lapse in protocol, citing technical limitations and diminished reliability. Government-issued devices, for example, would “frequently” disconnect from the virtual private network and couldn’t download “essential” apps to conduct investigations and communicate with local law enforcement.
Records revealed employees were claiming reimbursement for use of personal devices after traveling internationally, illustrating the practice was “routine” and “expected,” per the watchdog. Personal devices are typically less secure than those managed by the government and pose challenges for record retention.
The CIO office also did not “consistently” wipe data from GFE devices after employees returned from international missions, despite having a policy outlining the process.
“One employee stated that their phone had never been wiped over eight years and 20 international trips, including travel to high-risk countries,” the report said. “Another employee reported 15 trips over eight years and estimated that their phone had been wiped only four times.”
The inspector general’s office conducted the audit after other reviews uncovered concerns in the aftermath of the attempted assassination on then-former President Donald Trump during a Pennsylvania campaign rally on July 13, 2024. The watchdog reviewed records dating back to October 2022 through April 2025.
During that time, the audit was delayed due to the agency’s appropriation lapses and internal friction. The OIG said the Secret Service “delayed” access to asset management and travel systems for 130-plus days, limiting the analysis and negatively impacting the review timeline.
The Secret Service pushed back on the claim.
“DHS is not required to provide the information to the OIG via direct access to agency systems, especially where the agency, as the steward of the data, assess that the system may include a significant amount of data that is beyond the scope of the OIG’s stated objectives,” Secret Service Director Sean Curran said in a letter to IG Joseph Cuffari.
In response, the IG reaffirmed the impact of the delays.
“Lasting more than 130 calendar days, these delays significantly impacted our ability to meet project milestones and prevented us from independently validating the Secret Service’s property information and performing targeted interviews related to mobile device use, limited the extent of our planned analysis, and negatively impacted the review timeline,” the office said.
The Secret Service, however, did concur with the five recommendations made by the watchdog, agreeing that the OCIO needs to fill security and management gaps. The recommendation includes a request for the OCIO to demonstrate a formal intake process to ensure mobile device capabilities meet mission needs. Another recommendation required the OCIO to enact an outreach strategy to communicate guidance on mobile device usage.
Remediation work is already underway. The IG closed and resolved one recommendation and awaits evidence for others.
“We take seriously the OIG’s work in this report, and consequently made several comprehensive enhancements to Secret Service communications policies and protocols to both mitigate the potential for adversaries to intercept and exploit Secret Service information, as well as further strengthen the protective environment,” Curran said.
Mobile device security and management seem to be a sticking point for the Department of Homeland Security. Last month, the agency’s CIO and intelligence office were the subject of such scrutiny after having introduced a greater risk of cyberattacks and unauthorized access to sensitive information.
