WASHINGTON — The Department of Homeland Security failed to effectively secure smartphones used by staff in its intelligence office, raising the risk of cyberattacks and unauthorized access to sensitive information, the department’s inspector general said in a report published Monday.

The independent watchdog found that the department did not require certain security settings and allowed the office’s employees to download “high-risk apps” on mobile devices, including apps used for streaming or “associated with foreign adversaries.”

The report underscores security vulnerabilities at an office that helps identify national security threats and provides intelligence to state and local partners. Although immigration has been at the forefront of the department under the Trump administration, it was created in the wake of the Sept. 11 attacks and has a broader mission of preventing terrorism and protecting the country from a variety of threats.

In a letter responding to the report, the Department of Homeland Security said it concurred with the watchdog’s recommendations and that it had already made some changes to better secure its mobile devices. The department also cast blame on the Biden administration in a statement Monday.

“DHS has worked diligently to fix the vulnerabilities Democrats created so that we can securely do our jobs in keeping Americans safe and secure in the homeland,” the statement said.

The inspector general’s report examined data on mobile devices used by the intelligence office in 2024, including smartphones and tablets that were considered “unclassified” but could hold law enforcement sensitive information.

The department centrally manages and enforces security policies on its mobile devices. But the report found that 76% of apps installed on devices used by its Office of Intelligence and Analysis posed security risks, were prohibited or allowed prohibited activities. The report did not give a specific list but said the apps were used for file sharing, online gaming, private web browsing and social networking.

Although the department generally restricts the use of apps it has not approved, it does not prevent the office’s employees from installing unapproved apps, according to the report. Some of the high-risk apps were also approved by the department, the watchdog said.

“The presence of these high-risk apps on government mobile devices significantly increases the potential for a security breach,” the report said.

The report also said the department allowed the office’s roughly 800 employees to reuse old passcodes and did not ensure all devices were properly updated. The department also did not ensure that employees’ phones received proper authorization for international travel or were configured with features to reduce the risk that foreign adversaries could intercept communications.

In its response, the Homeland Security Department said it would evaluate available options to remove prohibited apps already installed on devices. It also said that apps not managed by its mobile device system did “not have access to DHS data and services.”

“For example, the Microsoft Outlook cannot share data with an unmanaged Waze application,” the department said in its letter.

The department also said the intelligence office would update or issue new guidance that clearly details the procedures for obtaining approval for foreign travel.

—

This article originally appeared in The New York Times.

By Madeleine Ngo and Hamed Aleaziz/Valerie Plesch
c. 2026 The New York Times Company