Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Report Blasts Veterans Affairs Response to ID Theft

    By
    Wayne Rash
    -
    July 13, 2006
    Share
    Facebook
    Twitter
    Linkedin

      A lack of oversight, personality conflicts and a serious underestimation of the scale of the information loss all played a significant role in the U.S. Department of Veterans Affairs response to the theft of millions of veterans records earlier in 2006, according to a scathing report issued by the VA Office of the Inspector General earlier the week of July 10.

      The report takes a harsh look at how the department reacted to the theft of 26.5 million veterans records from an employees home on May 3.

      Although no criminal charges are planned, the Inspector General did call for administrative punishment for those involved and offered a series of recommendations for cyber-security and information protection.

      The incident has reawakened concerns about identity theft and how well large government agencies and businesses protect sensitive information stored in databases, as well as who can gain access to that information.

      “The recurring themes in these reports support the need for a centralized approach to achieve standardization, remediation of identified weaknesses, and a clear chain-of-command and accountability structure for information security,” part of the Inspector Generals report reads. “Each year, we continue to identify repeat deficiencies and repeat recommendations that remain unimplemented.”

      The disclosure of the missing data has already prompted one federal lawsuit by several veterans groups that seeks $1,000 for every compromised name on the missing data list. The lawsuit also asks for a court to supervise other privacy-protected data.

      /zimages/7/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

      Secretary of Veterans Affairs R. James Nicholson promised reform.

      “VA has embarked on a course of action to wholly improve its cyber and information security programs,” Nicholson said in a written statement to eWEEK. “The IGs report confirms that we must continue with our aggressive efforts to reform the current system.”

      Rep. Tom Davis, R-Va., chairman of the House Committee on Government Reform, said in a statement to eWEEK that the report confirmed his committees concerns about the slow response at VA.

      “The IG found that processing the notification of the stolen data was not appropriate or timely, that information security officials acted with indifference and little sense of urgency, … and that current VA policies do not adequately protect personal or proprietary data,” Davis wrote.

      “The VA was fortunate—the police eventually recovered its stolen data. Not all agencies are so lucky. And we cant go forward hoping for the same good luck in the future. The federal government must become a better steward of sensitive personal information,” Davis said.

      By now, most of what happened on May 3 has become familiar to the public. A laptop computer was taken from the Maryland home of an unnamed VA employee, who had taken the information home so that he could work on a personal project. The computer contained the names, Social Security numbers and dates of birth of millions of veterans and some spouses, as well as some disability ratings.

      The employee reported the loss of the laptop and its accompanying external hard disk to the police and to his supervisor as soon as the theft was discovered, but that fact was not made available to higher levels of management until weeks later.

      In the report, the Inspector General found that Nicholson was not notified about the theft until May 16, about two weeks later, and Congress and the affected veterans were not notified until May 22.

      The stolen laptop and hard drive were recovered on June 28. So far, no one has been charged with taking the equipment from the employees home.

      /zimages/7/28571.gifA group of veterans sues the VA over the data breach. Click here to read more.

      The FBI has informed the VA that its forensic examination of the recovered laptop and hard drive has been completed. The FBI has also indicated to VA that it has a high degree of confidence—based on the results of the forensic tests and other information gathered during the investigation—that the sensitive files were not accessed or compromised.

      The IG report faulted the employee for taking the information home and then leaving it susceptible to the theft. The report also criticized the response, noting that the theft was sometimes discussed in “casual hallway meetings.”

      The report also found that strained relationships between several people inside the VA delayed the response and allowed the crisis to fester. The VA secretary was finally notified about what had happened six days later, the report said, but even that was delayed while others sought out additional legal advice.

      In addition, the report criticizes workers within VAs Security Operations Center, saying the officials did not interview the employee who took the data. They also did not ask about or properly conceive the scope of the missing data.

      “At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating, or notifying higher level officials of the data loss reacted with indifference and little sense of urgency or responsibility,” the report said.

      The report also took aim at VAs policies for protecting personal and proprietary data. The report offered several recommendations as to how to better protect this information, including background checks for employees and outside contractors as well as a better chain of command for dealing with large-scale problems.

      The VA has already recalled all of its laptop computers. The recall was intended to ensure that all employees were meeting security policy requirements, such as having the correct software installed on their laptops.

      On June 28, the federal Office of Management and Budget issued new security guidelines to all federal agencies, ordering officials to encrypt all data on laptops or handheld computers unless the information has been deemed “non-sensitive” by an agencys deputy director.

      Editors Note: This story was updated to include comments from the chairman of the House Committee on Government Reform.

      /zimages/7/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Avatar
      Wayne Rash
      Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and is Senior Columnist for eWEEK. He is the author of five books, including his most recent, "Politics on the Nets". Rash is a former Executive Editor of eWEEK and Ziff Davis Enterprise, and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center, and Editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×