Dr. Dobb's | VA Data Theft Prompts Overhaul Of Lax Security Culture

VA Data Theft Prompts Overhaul Of Lax Security Culture

When Veterans Affairs Department Secretary James Nicholson said Thursday that the infamous laptop and hard drive stolen from a VA employee's home last month had been recovered, the announcement capped a month-long uproar over the state of data security in the federal government.

June 30, 2006
URL:http://www.drdobbs.com/security/va-data-theft-prompts-overhaul-of-lax-se/190100177

When Veterans Affairs Department Secretary James Nicholson said Thursday that the infamous laptop and hard drive stolen from a VA employee's home last month had been recovered, the announcement capped a month-long uproar over the state of data security in the federal government. Nicholson made his announcement during a House Committee on Veteran's Affairs hearing to update legislators on the breach of 26.5 million records containing sensitive information on veterans and their spouses, which took place May 3 but wasn't made public until the end of the month.

After the theft, the VA hired forensic experts to first determine how many records had been compromised. The next step was to implement a series of personnel changes in the Office of Policy and Planning, where the breach occurred, Gordon Mansfield, deputy secretary of Veterans Affairs, testified Thursday before the House committee. Nicholson also pushed for all VA employees to take cyber security awareness and privacy awareness training by the end of June.

The VA's initial response to the data loss was to mail more than 17.5 million letters advising those affected of the data loss and providing them with contact information if they had questions. The department was in the process of issuing a request for proposals to vendors capable of providing credit monitoring to victims of the theft when it announced the stolen laptop had resurfaced.

Last week, the Federal District Court in Kentucky, which is hearing one of the class action lawsuits resulting from the data theft, issued a Temporary Restraining Order barring the government from publicizing free credit monitoring services to veterans whose personal data was stolen. This court case also placed on hold the department's plans to perform a security review of all VA laptops, Mansfield testified. The department is now awaiting guidance from the courts.

Nicholson also directed the VA to conduct an inventory of all positions requiring access to sensitive VA data by August 31 to ensure that only those employees who need such access to do their jobs have it. "And we will be developing the procedures necessary to assure that employees have an appropriate level of background check in place, and that those be updated on a regular basis," Mansfield testified. "For example, the employee from whom data was stolen had not had a background investigation for 32 years."

The Veterans Administration Inspector General, Federal Bureau of Investigation, and Montgomery County Police Department collaborated to find the stolen computer equipment. A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen, the FBI said in a statement, adding that the investigation into the theft is ongoing. The computer was turned in Wednesday by an unidentified person. An FBI spokesperson said that the person had not been charged and was not a suspect in the burglary.

The theft was the biggest of several data thefts and hacks that the federal government has endured in the past month. In May, an Internal Revenue Service employee lost an agency laptop that contained sensitive personal information on 291 workers and job applicants. In late June the Agriculture Department revealed that a hacker had broken into its network and stolen names, Social Security numbers, and photos of 26,000 employees and contractors in the Washington area. On June 22 the Federal Trade Commission said two laptops with personally identifiable info on 110 people was stolen from a locked vehicle. That same day, the Navy said it was investigating how Social Security numbers and other personal data for 28,000 sailors and family members wound up on a civilian Web site.

But none of these had the impact of the colossal score a thief had perpetrated against the VA. It was a situation that called into question the government's policies toward handling sensitive data and how well employees know, and adhere to, those policies.

"This theft of VA data has been a wake up call to all of us--at VA and in government in general," Mansfield added.