This management advisory is to alert the U.S. Department of the Interior (DOI) to an incident we discovered in which a DOI employee unnecessarily shared a spreadsheet containing the personally identifiable information (PII) of 182 employees from a number of DOI bureaus.
During a recent investigation, we learned that the DOI employee created the spreadsheet for use in internal training and then emailed it to a group of from several DOI bureaus. Because the group members all got the same spreadsheet, they were able to access the PII of employees in DOI bureaus outside their own. We determined that the group members had no business- or training-related need for the PII of employees from other bureaus.
The subject of our investigation attempted to send the list to his personal email account and intended to access it on his personal computer, which had software installed that made it vulnerable to outside access and control. Although the subject's attempt was blocked, the DOI employee's unnecessary transmittal of the spreadsheet to the entire group placed the PII of 182 employees at an increased risk of compromise. We encourage DOI to review its procedures for limiting access to PII only to those with a business need to know.