Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Report Blasts Veterans Affairs Response to ID Theft



 By: Wayne Rash
2006-07-13
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Updated: In response to the handling of a recent laptop theft, the VA Inspector General's report calls for administrative punishments and a sweeping overhaul of security policies.

A lack of oversight, personality conflicts and a serious underestimation of the scale of the information loss all played a significant role in the U.S. Department of Veterans Affairs response to the theft of millions of veterans records earlier in 2006, according to a scathing report issued by the VA Office of the Inspector General earlier the week of July 10.

The report takes a harsh look at how the department reacted to the theft of 26.5 million veterans records from an employees home on May 3.

Although no criminal charges are planned, the Inspector General did call for administrative punishment for those involved and offered a series of recommendations for cyber-security and information protection.

The incident has reawakened concerns about identity theft and how well large government agencies and businesses protect sensitive information stored in databases, as well as who can gain access to that information.

"The recurring themes in these reports support the need for a centralized approach to achieve standardization, remediation of identified weaknesses, and a clear chain-of-command and accountability structure for information security," part of the Inspector Generals report reads. "Each year, we continue to identify repeat deficiencies and repeat recommendations that remain unimplemented."

The disclosure of the missing data has already prompted one federal lawsuit by several veterans groups that seeks $1,000 for every compromised name on the missing data list. The lawsuit also asks for a court to supervise other privacy-protected data.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Resource Library:
Secretary of Veterans Affairs R. James Nicholson promised reform.

"VA has embarked on a course of action to wholly improve its cyber and information security programs," Nicholson said in a written statement to eWEEK. "The IGs report confirms that we must continue with our aggressive efforts to reform the current system."

Rep. Tom Davis, R-Va., chairman of the House Committee on Government Reform, said in a statement to eWEEK that the report confirmed his committees concerns about the slow response at VA.

"The IG found that processing the notification of the stolen data was not appropriate or timely, that information security officials acted with indifference and little sense of urgency, … and that current VA policies do not adequately protect personal or proprietary data," Davis wrote.

"The VA was fortunate—the police eventually recovered its stolen data. Not all agencies are so lucky. And we cant go forward hoping for the same good luck in the future. The federal government must become a better steward of sensitive personal information," Davis said.

By now, most of what happened on May 3 has become familiar to the public. A laptop computer was taken from the Maryland home of an unnamed VA employee, who had taken the information home so that he could work on a personal project. The computer contained the names, Social Security numbers and dates of birth of millions of veterans and some spouses, as well as some disability ratings.

The employee reported the loss of the laptop and its accompanying external hard disk to the police and to his supervisor as soon as the theft was discovered, but that fact was not made available to higher levels of management until weeks later.

In the report, the Inspector General found that Nicholson was not notified about the theft until May 16, about two weeks later, and Congress and the affected veterans were not notified until May 22.

The stolen laptop and hard drive were recovered on June 28. So far, no one has been charged with taking the equipment from the employees home.

A group of veterans sues the VA over the data breach. Click here to read more.

The FBI has informed the VA that its forensic examination of the recovered laptop and hard drive has been completed. The FBI has also indicated to VA that it has a high degree of confidence—based on the results of the forensic tests and other information gathered during the investigation—that the sensitive files were not accessed or compromised.

The IG report faulted the employee for taking the information home and then leaving it susceptible to the theft. The report also criticized the response, noting that the theft was sometimes discussed in "casual hallway meetings."

The report also found that strained relationships between several people inside the VA delayed the response and allowed the crisis to fester. The VA secretary was finally notified about what had happened six days later, the report said, but even that was delayed while others sought out additional legal advice.

In addition, the report criticizes workers within VAs Security Operations Center, saying the officials did not interview the employee who took the data. They also did not ask about or properly conceive the scope of the missing data.

"At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating, or notifying higher level officials of the data loss reacted with indifference and little sense of urgency or responsibility," the report said.

The report also took aim at VAs policies for protecting personal and proprietary data. The report offered several recommendations as to how to better protect this information, including background checks for employees and outside contractors as well as a better chain of command for dealing with large-scale problems.

The VA has already recalled all of its laptop computers. The recall was intended to ensure that all employees were meeting security policy requirements, such as having the correct software installed on their laptops.

On June 28, the federal Office of Management and Budget issued new security guidelines to all federal agencies, ordering officials to encrypt all data on laptops or handheld computers unless the information has been deemed "non-sensitive" by an agencys deputy director.

Editors Note: This story was updated to include comments from the chairman of the House Committee on Government Reform.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Report Blasts Veterans Affairs Response to ID Theft
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Wayne Rash
 


xr㶲(;; YڦxH)ْZc[^f&U(S$IVrϮO7t$_&%lݍF޻$\8acr3c}:I}"I{(~0`R˩8AZNɑ!,Շ)~-slrCjwGl$J{'AT{# xL95Μ k9ԗoˏ~e0-ZAQ6)֐N0-Z P8"x,Z="?*B4e$oQX}؁䛿Q=2pS6BT!|DJ%h!GQus{/ !X]~j4LߵXhj9:TN`Uƞfn= aZ.91rx&Խ;@ *YsDƞIC d"LJA`:p,#G^Cݡc9 N\^ ZSӂ螩[mɧ9u]kԏPL0H -{`2E%$7 .lqO-%0/<{e6O( |@ɠCӱCģZr$˺7hCmCXSKC(DžJ|+62٣SauRV5MQ/W ? ?th;XCRy] ! eUS<> i^_wD_*0QI- i|/ Z@::fv}j\"ty[n9,4E; Kxf1SdXI#/YTU9Df9iNzMҺnoNOnڭ3do̲5<JEӀ Zvb!?ޛCVgkUs%gl}j Gt@  Wh: N/z O{uH8=|kh2`=t8Lwjt(~hvN{[d[O.ڧ$'mT&yt7Q[,r$BrF~DX*,>JAͼ94o o SNE ;- ujfͪ5V(z[P G/<@'L)p3Z&j9T23=jMH8Ɯ5ņ])!exFSۤ%/^(P%!P샖_.[ jF|*(If({΀/3A.r)#t 6=aL+^뻹(Z\08Oއ]7+De., s5-wnxaZTpx=7&^wtv[0*>cq4Y`A-. :oo:jal:?o|5"+&rO f[Ԗ-Pò˔AG >< } !NR'})5ٴ6m;4}t>჎$>hƋMr>iH'0i+GݺzLnXŞ+ R߭C0C m|&>l d $4)syp;LM)σ-HˋF0P 2/?>axs O>ȁ{4`sDoi1RB]jJdN˕ ] #RRP$C]HPw9J B!\0HV0(VF􎄰R1iJlRi gRTD;7 KŔ=*%nqR%a 934YIjL=?U Q򍜈="`&Qea*0pRx5Vn/Zb٦By^i${.YU!=: dEgOl; Si#O\g`?^0&1 7R'ބ.~Xz /̡ ->ƘMG {68D&f+Lo>L>hQox@F}4=9)4+pPs >`|=0Xuh93c]edң!=?p*JNC_jVzq}~7MAV?Ty v|9p‡9E#rUϚX 5<.&B#57&Q OzBnehJJ*$,4)ŠpdjK}ݸ^`"3hqNNRЙB#@9zQ/OJb-yhֽkmH_ƠT:. B[+ M2%W}kaԕ %/DA n:bXG6XG4~hN/a2*)w4&nvwla=5G&5|nw'=VU Oß@xz#jISʱb1v g%A qsGI͐6 [IFlp|:.MKϱ("]r;6O7<<fq'Ia e-6BSbg`m1Ja˸hFq,@XĞ]F KǚO]SEeHW w!bFd>i'[arShfh:2-5_GN:6R^-!寻0kMu{ 7aT5\Pbr>+ eT0)5*IMy-"P/?ˇ%Ŵ谢t8ڥs!a*/W3g ZOjZ(T+19ʪZJs3??]et4! wF#~y>w'Ϸt7ZpY9[Jֿz}u>rȵ>gw%eXY1f-1_0kE_{s;OWbL[ )N<:`rUTՖ>Ν.#Џ]MtAk?, ܠYCaiϖCZ,Y~B)'؁-_k1 &E`9\QӲSL*H@8܎:y>-MH+?Z0bϰ)tXcm/kR9Tښ5^쥠]hDA` Н;#ؐCKAk2̯!G8UoF* ϛ=G$1*@7Z ɦ~oV ՆgyϤMpR|=>r7poj%śz_EnMsU-yFD3=JTȭ>yO "BN7x^oxP@"ৣjZ)o ƗDÜbk>t8ߙ]?g`̦vѯ`jdWM û+7e*r6#_?L][L4Fzɖ0M0]sK]7a Z 4yQFkoZ,+eeXS/0yA^Mo6=ITPGQ>=ݠ1p JnurfWϋFپz/w᳋Y/`yAN׹p.7WKߧ ?wL.W-)^s-y0W&Ըh:bO*aո ?>m48Z&IEqDCwȰ Z_ƥslpfꅰjZ ^k5W&'27x- ې}o#s~uY PH2'_1aXHR ~tDݽh|Nku؋N' m D78C*QW"REh%IA%5[g <@9FhDilEb}CxFM>xuS意G 93re[)=h u[t?H/K턟ycPXSω%٘NBEWU-u*ln rYpJUWVr{ѩc+N c,n%P2Y;pOҠc=d08_2{K7Kx=*~{'kLw.z@z@qw{Zg%QJW=(q @jjiAr\"~^YZ䑽DXHڃ}co[#D:*pc޸O/TKݰgQ\OFdž! ,x2- uy0?V՛Q_/B,q@I0.mxza{L{A\ҲL`$@n~G_ߥXx9`Cud̃~T <\a)mUx/K?/j9s&<ܵ:>㽄E%r ^w J\W&broWH\JCym"[PZco$b8==/h *ϔ&"1sR\7XgE7s42,x|\c0nT7=J+.t0% {xW?u4_(?7=Zτk>R KO>{SOx7Z_<ݮ 㭝~OA跜!ˬJi(a ;dͅ q9nVc oxt3FK( 6F#|I)&4C5!D4A.~`pȄC&!d" 4l7tUS2O'TH'Ѣ/T_ͼ_)JYR*Zx<0G¢1+u}-5|z3 5".wr#r4g3Mu^UfD(f3يxHnc}ZGUR۲G#rADC”\>5$@xROn}jW b--+%Je[.)8Axi7Ms^"ufD"#0$Kh.unq .wem٧sCz@6F|$h+ں 0)ԙ3Hʥ~;VA&C؈LH7xIZ¾vcVs=UeR` @+͓NGlxBelg}ۚ+uBa+d5Jq,!K7~U~U~U~Ug*Z|2֍/0$bJ4}<1TKH(F=ϵ/|_? a0Cw~u s0=f+}Dܾ _^EbR_W򥽙2``+TɜydH7~7ωzm@}C%!aYߪڟ6lkZΜ^;VP0#[zoBera&Bxf:K*9Jp3S6wMǴ}"ZG2̬w%UQv_P8CM`,`??WzG}W pCŵ1SK}ݓz>xuOTz}ow#̷De/;2xp'4r&^gU1`75l/&5׏>3Lh]Q76 WTKԒt7f5u\"Cg_DI@"18߻"w½k`auֹ pַƽ:>@/v.1"P˷mԾ|??]ނxTJZiȝ&3v.#j%`ܑ+lyӫ95p_cB/ߠ+5N731"0^v{Btϡk1!Z[qtymF$5?h۾c+@mն-0VgTEQfZ򃧻. [~1{tӥboJY-VC|_~Xyﳹvc ~uP2oO3@84kI/NI5$8&wG~pj8e[YӮ@םYH ,Í$%]Z1;>>Seνco(5?}Or闶U W-^ /*`5,k;hOw>-n b1DKb@/]j Ґ}LFGŒ/OpygsxSy)qFʼn?yxHk];stx7wIēn2~OJ eevt Th6#/~խt {@R(kj E'>dן  C(G*Dz'~/È.~"j\Dzjs鳐ؕĠAIB4욥ĸW{n"9I∘HUWk-g+ ,r"Y"'"KIE/]^|~8. d!Fe3)Muk 0a"ΩTh,vxUȥkc.ᝢZE9TWK.}KBG2KN+ߥtW BZcsWes[ɣ.j", jDC0Z`oh1]gw?)fFllz^C `58olz^C솬M` /J.қ`(gBth&n*16J)tof|HI -g~1~"js{:^`peYHYqc[RJBYIc0 ":;M[vw3smS?@$" ?_J m+Q^_fVܞVk<-GL]=#ZNHh5J\Zx_!Ƅ7͎!++pS CR,6$Ae5T?0нG )8ȚX/J KݴX?/5>co۶y 0t$0SxRC7)(ʁޒ_i?y}A6ژykiF$Ync r/\\Ix##k 볠;doX{+$ʽOg-<-RWld""t:n[jv/Z^릋V '죋B׏l'6g<9asH ]TW\Axӻ3 Bxt'lɮNsbuh c6zSrA1HSTnXk~*JGR2O0 枩pT?TdL4B&(qTi+$<|vtVnOKZ&9a k(E$0r IA!9Q"C 35L{h،6\?HksD!S}%ߺH"V|8snjJ5m^+LJY22 gWSfr?Zsm.4 "GdȀW.}QX\mSEI{(%lGyї51oLl+8=fjԊkm9 g5^LZOFiAn^Znj^Ak 'M&7bQۺhH窕&5+۸v(2_2of}i8QށNF9rzo}yhleB3Y}CgG(חzQkg3r;nFg(_dٮ~1>e2 >2@ \_^f%e^e ?eCyF?P~Q{1W ?Wsw1~'? /q _gs?]fe__P>f'(U}SZ_~ Y{ f wɹN2!(odYNoT8'\$_JeYW@a uuQ~@yJ2,c3\. f{9;[?[O;BX\jzr+^i5v+iA- {} yW /"yeoR6AQ8gG6+F.Э-'ވm]=g%Iy=0?$Mu{1پWߕ\~UnE+tVq&R2#s"q6G#a@A"D4k{HO8ѭ<2z[ÙxI0?ۓ{ݯ\pۭঠϻ]Oޅ-~kOW=M͈.nmG;yh#ֽ2"T_;Yo%P/=Zsge'nA},܇ ߊD,z e%Hi_1\n>_a?f0~u̞^ UxbٴV`,}Tq4 j9uYu8% H-MԳpNR?Ѱs730ӯ.1"q`Fh@R#9w6EM++J9wwrDƛ""C ATMVYI0ZY9,+PPफ़h[iRo膖 yVi8an%[C#Dk(xxmD2y_tmBfpZT;i@18Lo9X-.#RgQ׳+\ř}g_ p1iR  {{[2gډ5 fuʿ.ө)pG ? 3ΕDqe[h =xQl O?gSf@+ՅoRw. hJ/.ӡGx#KQ,V,DmNjB`1+ SP2-#6O,5U,%O|\z_.c˃a.yCw`b)WOM^E`@O^QuEzmX?ap[rb2 BL'ox Wv4F /ÌkR0AS 9GL:Dtx^#5|e'OqDZf+ MĮ+fAj3´g6 )lt> a0'VbgHAأ_BDOv֤>#0q&}w$>}T.q 5sEEבE,&JhӄZ{JfBZ_y96M(>f/X9VX#e i_3QFӾ&]ǚ }ք!نIf;W1^{ #D3dưz< ;1@ EY/vY{qor&zU h$7=j"6: gK“J'Ҥr\鱻$0\d~\g;Thtw[2R,`'/2^;'gH2Gd!᳤c*5S2m-(Eir}7 |In[zQڗE@1agG0HYUҎ_?Bo^!#R.ܐOF{)0XPyw4wԸlQ޺%76x}ҀA0L/Tvy* *>% /)ilƘJu!A]=_v{[>/'R`zQ[`kL\~0qGĶ2C|R4MepvRv ?93_-rxgsg_(LWvm:mmlP/>¼yOW]Q'al`d%k^F:HM`WH؂{XiWe1RpCV)tOe㋰BNt3B+W5`/=H^3(ΐRjã ,c<ԭ<P0_C^&?c5Vqٮ7Ga#®u4-vщ߉n^sQaW_[z0XjPtP9˓z0 9LMhc{pfi#fSSG3 τ ixv4<1TF_E@G7`yUĔfٵ\RKnrmmSk }˦bN܌aBrbr =L%g% s^೐|,/A-r*r*]xD4;NbŠ biS<'\B/1,#{ŠN|]t1^ʳUO:k\/>Jzn`gnVXvQJeVl'+e={Pw r̳G`bhPlQSVIGv3HZ\֓CX-lu; o]F'e1PU>\JBS+$X/WfTNƇ̚J܄;66BKFslx61>)