Protecting Sensitive Information: Lessons from a Recent GSA Data Exposure

A recent GSA incident exposed sensitive White House documents to over 11,000 employees due to a simple permissions error,  highlighting the urgent need for smarter access controls.

What happened?

On April 20, 2025, it was reported that sensitive government documents were accidentally shared with the entire General Services Administration (GSA) staff - more than 11,000 people. Among the files were sensitive White House blueprints.

According to The Washington Post, the documents were stored in a Google Drive folder and included layouts of the East and West Wings of the White House, plans for a potential blast door at the visitor center, and banking information for a vendor who supported a Trump administration press event.

Why is this important?

Securing permissions on your online documents is always important - but when it comes to potentially classified or sensitive information, it’s absolutely critical. These types of materials should only be shared on a strict need-to-know basis, and proper classification markings should always be clearly visible.

In the GSA incident, it was discovered that 15 files were inadvertently shared via a Google Drive folder accessible to over 11,000 GSA employees. Nine of these files were marked as Controlled Unclassified Information (CUI), and at least 10 allowed edit-level access.

GSA officials explained that while the agency does use software to detect sensitive content across its Google Drives, an employee mistakenly changed the site’s sharing settings. This error made the documents visible - and, in some cases, editable - to the entire agency, bypassing what should have been tighter restrictions.

The exposure dates back at least to early 2021. Among the documents shared were detailed blueprints for the East Wing of the White House, which includes the visitor’s entrance and the First Lady’s office. Later in 2021, a West Wing layout was also shared, showing locations such as the Oval Office, Cabinet Room, Situation Room, and press briefing room. The most recent file was shared as recently as early April 2025.

This comes on the heels of another high-profile security issue. In March 2025, a reporter from The Atlantic was mistakenly added to a Signal group chat that included sensitive operational details about ongoing U.S. military strikes in Yemen. More recently, on April 21, it was reported that Defense Secretary Pete Hegseth shared similar military plans in a separate Signal group - this one including his wife, lawyer, and brother while using his personal phone.

What can I do for my environment?

While these kinds of incidents should be rare, they underscore how important it is to be proactive about digital security, regardless of how sensitive you think your documents may be.

Here are a few key takeaways:

• Limit access: Only grant access to individuals who truly need it. Disable permissions for everyone else.

• Be cautious with edit rights: Make sure only the right people can make changes. Keep an audit trail of edits for accountability.

• Secure your drive environment: Regularly check which apps and tools have access to your cloud storage and revoke those that shouldn’t.

• Review access often: Conduct routine reviews to ensure users who have access still need it - and remove access for those who don’t. If you’re using Google Drive, you can even set expiration dates for access as you add or modify users.

• Make training meaningful: The GSA requires yearly privacy trainings, but security awareness needs to go beyond checking a box. Employees should understand what types of information they’re handling and what to do if they see something they shouldn’t.

If you’re unsure whether your organization is properly protected, Hive Systems is here to help. We specialize in tailored security training and learning solutions to ensure your team - and your data - stay safe.