The White House Google Drive: Why Traditional File Sharing Controls Failed (& What Works Instead)

A routine security audit last week uncovered a prolonged sensitive data exposure: White House floor plans, blast door specifications, and vendor banking details sitting in a Google Drive folder accessible to the entire General Services Administration—all 11,200 employees—for years.

The Washington Post's report detailed how a simple misconfiguration in sharing settings created a security vulnerability that persisted across administrations, with some documents remaining overshared since 2021.

For security leaders watching this unfold, it’s a sobering reality. Even robust security training and scanning tools couldn't prevent what amounts to the digital equivalent of accidentally leaving classified documents in the company breakroom next to the donuts for years at a time.

The GSA's security misstep reveals a clear truth: The future of data protection isn't choosing between risky open sharing that exposed White House floor plans or frustrating lockdowns that cripple workflows—it's embracing intelligent solutions that enable data to move securely where it creates value while maintaining persistent protection and control, regardless of where files travel.

What Happened at the White House?

According to reports, career employees at the General Services Administration (GSA) unintentionally shared a Google Drive folder containing sensitive documents with the agency's entire staff of more than 11,200 people. This mass oversharing was unquestionably inadvertent; these floor plans and sensitive details were never intended for such broad access.

Nine of the 15 files were marked as "controlled unclassified information" (CUI), which requires substantial protection despite not meeting “Classified” criteria. Even more concerning, at least 10 of the shared files allowed GSA employees to not only view, but also edit the content.

The breach wasn't discovered until last week during a security audit of the agency's Google Drive usage. By that point, the improper sharing had continued for multiple years, with documents remaining accessible to thousands of unauthorized viewers.

The "Accidental Overshare": Every IT Leader's Nightmare

Recommended Reading: 3 Reasons to Use the New Virtru Secure Share for Google Drive

This incident highlights a problem that has become the bane of every IT leader's existence: the accidental overshare. It's happened to organizations of all sizes across every industry, and it's not unique to Google Drive. Whether it's SharePoint, OneDrive, Dropbox, or any collaborative platform, the fundamental issue remains the same – tools designed to make sharing easy sometimes make it too easy.

This incident ultimately highlights the reality of modern work: data must move to create value, but it must move securely and only to those with legitimate need for access. Many respond by implementing rigid Data Loss Prevention (DLP) tools that attempt to lock down information entirely (something the GSA has reported doing), creating three significant problems:

1. Blocked legitimate sharing prevents necessary work from happening
2. User frustration leads to dangerous workarounds and shadow IT
3. Binary allow/block decisions lack the nuance needed for complex sharing scenarios

The GSA incident demonstrates that neither extreme – completely unrestricted sharing or rigid lockdown – provides an effective solution. What's needed is a more sophisticated approach that enables necessary sharing while preventing inappropriate access.

Practical Solutions: Good, Better, and Best Approaches to Prevent Oversharing

The White House document incident presents an opportunity to evaluate different approaches to the accidental oversharing problem. Let's examine the options available to organizations looking to prevent their own "GSA moment":

GOOD: Continue Using Standard Google Drive Permissions

Organizations can continue relying on Google Drive's native permission model, supplemented with regular security training and periodic audits. This approach maintains ease of use but, as the GSA incident demonstrates, remains highly vulnerable to human error.

A single mis-click can instantly expose sensitive information to thousands, and detection may not happen for months or years.

BETTER: Disable Native External Sharing + Implement Secure Share

A significantly stronger approach is to disable Google Drive's native external sharing capability entirely – removing the mechanism that created the GSA vulnerability – while implementing Virtru Secure Share to provide a secure alternative path for necessary collaboration. This approach:

• Eliminates the possibility of accidental oversharing through Google Drive's native sharing
• Provides users with an intuitive, secure alternative for essential external sharing
• Ensures all externally shared files have encryption and granular access controls
• Maintains persistent visibility and the ability to revoke access at any time

This subtle but profound difference means:

1. Access can be revoked at any time, even after sharing – unlike Google Drive's persistent access model
2. Detailed logs capture every access attempt, enabling rapid detection of inappropriate sharing patterns
3. The protection travels with the data, not just depending on correctly configured settings

The key advantage of this approach is that it acknowledges a fundamental reality: data needs to move to create value. Rather than attempting to lock data in place – which inevitably creates workflow obstacles and shadow IT – data-centric security protects information while allowing it to travel beyond the perimeter to wherever it's legitimately needed.

BEST: Implement Comprehensive Attribute-Based Controls

The most sophisticated approach involves implementing a comprehensive system of attribute-based access controls (ABAC) that evaluates multiple contextual factors before allowing access.

While comprehensive attribute-based access control represents the gold standard, it works best with mature data classification and identity frameworks. For organizations at any stage of this journey, Virtru offers tailored approaches—from Secure Share, which brings key protection principles to businesses and government contractors  without requiring extensive infrastructure, to our full Data Security Platform that powers sophisticated ABAC implementations across Department of Defense and Intelligence Community environments.

Recommended Reading: ABAC, Anemones, and You

Virtru Secure Share for Google Drive: A Practical Solution for Secure Collaboration

Secure Share for Google Drive delivers specific capabilities that directly address the White House oversharing scenario while providing broader benefits to organizations navigating the balance between collaboration and control. Here’s how.

Disable Native Sharing Without Limiting Productivity: IT leaders can confidently turn off Google Drive's external sharing functionality—eliminating the risk of accidental oversharing—while still providing users with a secure alternative for legitimate collaboration.

Chrome Add-On Simplicity: Deployed as a simple Chrome extension, Secure Share integrates seamlessly into Google Drive's interface, requiring minimal training and maintaining users' familiar workflow.

Large File Support: Share files up to 15GB securely—far beyond email attachment limits—supporting the exchange of large documents, media files, and complex datasets that would otherwise require insecure alternatives like FTP.

Granular Control at the File Level: Unlike the all-or-nothing approach of Google Drive's native sharing, Secure Share enables file-specific controls including expiration dates, watermarks, and download prevention—giving senders unprecedented control over shared content.

No Recipient Accounts Required: External collaborators receive secure access without creating accounts or installing software, eliminating friction points that often drive users toward insecure workarounds.

Centralized Visibility for Admins: Security teams gain comprehensive visibility into external sharing patterns through centralized audit logs and analytics—the exact capability that could have identified the White House document oversharing years earlier.

Compliance Support Built-In: Meet specific regulatory requirements including CMMC for defense contractors, HIPAA for healthcare, and other frameworks requiring controlled external sharing with encryption and access logs.

End-to-End Encryption: Secure Share provides robust encryption that protects files throughout their lifecycle, not just during transmission. Secure Share can also be paired with Virtru Private Keystore to achieve end-to-end encryption with complete key ownership.

Government-Grade Security Compliance: Virtru Secure Share is both FedRAMP and StateRAMP Authorized, with FIPS 140-2 validated encryption that supports ITAR compliance obligations. These authorizations make Secure Share an ideal choice for government agencies and contractors handling sensitive information like the exposed White House documents.

Watch: Virtru Secure Share for Google Drive Walkthrough

By directly addressing the technical and workflow challenges that lead to sharing incidents, Secure Share provides organizations with a practical solution that delivers both enhanced security and seamless collaboration—preventing "GSA moments" while empowering teams to work effectively with external partners.

Want more takes from our federal team? Subscribe to our newsletter for biweekly coverage + analysis of all things Zero Trust and federal government.