Federal technology department unwittingly purged a year's span of messages from the device of the previous chairperson's phone.

The Office of Inspector General (OIG) published a new report on September 6, 2023, detailing the erasure of nearly a year's worth of text messages from Gary Gensler's government-issued phone. The former Securities and Exchange Commission (SEC) chair served during the Biden administration.

The trouble began on July 6, 2023, when Gensler's phone lost its connection with the SEC's mobile device management system. This incident was followed by a series of missteps by the SEC's IT office, leading to the automatic deletion of the device's data, including text messages, before they could be backed up.

On August 10, 2023, the SEC's Office of Information Technology launched a policy to remotely wipe any SEC-issued mobile devices that hadn't linked with the device management system for 45 days or more. The text messages were erased due to this policy, but had it been known by the Office of Information Technology or Gensler, they could have been recovered.

The OIG's review was a partial one, pieced together via an OIT matching process of SMS messages from certain SEC and non-SEC-issued numbers to Gensler's phone number. The review found that roughly 38% of the missing text messages were "mission related and concerned matters directly involving SEC senior staff and/or Commissioners at the time." These included conversations about an enforcement action against a crypto platform, a possible settlement with a global financial services firm, and the appointment of a new commissioner.

The OIG reported that inadequacies in the report impacted its reliability and usefulness, as they could not review the missing text messages to definitively determine their status as records. However, they surmised that many, if not most, would be records.

The SEC concurred with all five of the OIG's recommendations aimed at better mobile device management practices. The SEC pledged to complete the tasks within the next six months. The SEC also disabled text messaging across the agency, with some exceptions, due to the incident.

The SEC's IT office was criticized for poor change management with regard to the wiping policy, not maintaining its mobile device inventory, not identifying inactive devices, and not effectively reviewing and escalating relevant system-generated notifications. The new policy was based on the assumption that such devices were not in use, potentially lost or stolen, and could no longer connect to the SEC's network.

The SEC alerted the National Archives and Records Administration of the change. The OIG noted that because OIT did not collect or maintain necessary log data, they could not determine why Gensler's device stopped communicating with the SEC's mobile device management system. An incident report, which cost the agency more than $50,000, discovered that the SEC's mobile device vendor knew of a 'bug' in prior versions of its operating system that could break the connection between a mobile device and a mobile device management system. This could potentially be the cause of Gensler's initial phone troubles.

The SEC has promised to rectify these issues and improve its mobile device management practices to prevent such incidents in the future.

Federal technology department unwittingly purged a year's span of messages from the device of the previous chairperson's phone.