The system the EPA used to track responses to IT-related issues reported by employees put the personal information of those employees at risk of exposure, the IG has found.
The audit confirmed allegations in a hotline complaint that the tracking system for issues such as the need to reset passwords, remove a virus or grant access to a system included personal information “which can be viewed by all registered users” of the tracking system, including other agency employees and contractors not authorized to access that information.
Auditors identified 25 incident tickets that disclosed information including Social Security numbers, W-2 information, dates of birth, home addresses and Thrift Savings Plan account information.
It said the EPA is rolling out a new system but that the agency envisioned applying to it the same operating procedures, which did not require help desk technicians to exclude such information from incident tickets. The IG said that after meeting with agency management, it is satisfied that corrective actions are under way, but that several other recommendations remain open.