• An American flag flies on top of the White House, February 12, 2022, Washington (AP)

Government staff working under both the Biden and Trump administrations improperly distributed sensitive materials, including potential White House floor plans, to thousands of federal employees, according to internal documents reviewed by The Washington Post.

The General Services Administration (GSA), which oversees federal property and administrative services, was responsible for the incident, which involved a Google Drive folder being mistakenly shared with all 11,200 GSA employees. This led to a formal cybersecurity incident report and investigation. Among the materials shared were banking details related to a Trump-era press conference and a proposed blast door design for the White House Visitor Center.

While it's unclear whether the floor plans or banking information were officially classified, The Post found that nine of the 15 documents were labeled as “CUI,” or Controlled Unclassified Information, data that isn't classified but still requires safeguarding. Some files not only could be viewed, but also edited by all GSA employees. File sharing began in early 2021 during the Biden administration and continued through the Trump years, with the most recent sharing occurring just last week.

Related News

NYT urges Mamdani to prioritize pragmatic reforms in six key areas

Mamdani defeats billionaire-funded campaign, triggers DEM divide

Past security incidents

One of the earliest known incidents occurred in March 2021 when an employee altered share settings on a “safety environment management survey” that included “blueprints” of the White House East Wing. Later that year, the same employee shared a similar report about the West Wing, as well as documents detailing a blast door project. These files remained widely accessible within the agency for years, the records show.

Steven Aftergood, a former security policy analyst with the Federation of American Scientists, explained that while general layout documents may not be classified, those that include “undisclosed structures, passages or security measures” could fall under a 2009 executive order governing national security information. “Even if they were not formally classified,” he added, “they would be closely held for obvious security reasons.”

The GSA’s Office of Inspector General discovered the incident last week during a security audit focused on Google Drive usage. That audit revealed multiple instances of improperly shared files, prompting a report to the agency’s cybersecurity team. By Thursday, the files were secured, and access was revoked.

Despite annual mandatory training and file-scanning software meant to prevent these types of mistakes, a GSA employee acknowledged that human error remains a vulnerability. “Internal controls are not perfect, but we aren’t just letting things happen without checking,” they said. “It’s not like we’re not trying to mitigate things if and when an employee makes a mistake.”

Michael Williams, an expert in international security at Syracuse University, emphasized the broader concern, saying the breach highlights a persistent challenge across administrations. The documents “are absolutely not something you want shared to 11,200 people,” he said. “The danger of this kind of mistake is a challenge across all administrations. It’s not just particularly bad for the Trump administration.”