A lack of oversight, personality conflicts and a serious underestimation of the scale of the information loss all played a significant role in the U.S. Department of Veterans Affairs response to the theft of millions of veterans records earlier in 2006, according to a scathing report issued by the VA Office of the Inspector General earlier the week of July 10.
The report takes a harsh look at how the department reacted to the theft of 26.5 million veterans records from an employees home on May 3.
Although no criminal charges are planned, the Inspector General did call for administrative punishment for those involved and offered a series of recommendations for cyber-security and information protection.
The incident has reawakened concerns about identity theft and how well large government agencies and businesses protect sensitive information stored in databases, as well as who can gain access to that information.
“The recurring themes in these reports support the need for a centralized approach to achieve standardization, remediation of identified weaknesses, and a clear chain-of-command and accountability structure for information security,” part of the Inspector Generals report reads. “Each year, we continue to identify repeat deficiencies and repeat recommendations that remain unimplemented.”
The disclosure of the missing data has already prompted one federal lawsuit by several veterans groups that seeks $1,000 for every compromised name on the missing data list. The lawsuit also asks for a court to supervise other privacy-protected data.
Secretary of Veterans Affairs R. James Nicholson promised reform.
“VA has embarked on a course of action to wholly improve its cyber and information security programs,” Nicholson said in a written statement to eWEEK. “The IGs report confirms that we must continue with our aggressive efforts to reform the current system.”
Rep. Tom Davis, R-Va., chairman of the House Committee on Government Reform, said in a statement to eWEEK that the report confirmed his committees concerns about the slow response at VA.
“The IG found that processing the notification of the stolen data was not appropriate or timely, that information security officials acted with indifference and little sense of urgency, … and that current VA policies do not adequately protect personal or proprietary data,” Davis wrote.
“The VA was fortunate—the police eventually recovered its stolen data. Not all agencies are so lucky. And we cant go forward hoping for the same good luck in the future. The federal government must become a better steward of sensitive personal information,” Davis said.
By now, most of what happened on May 3 has become familiar to the public. A laptop computer was taken from the Maryland home of an unnamed VA employee, who had taken the information home so that he could work on a personal project. The computer contained the names, Social Security numbers and dates of birth of millions of veterans and some spouses, as well as some disability ratings.
The employee reported the loss of the laptop and its accompanying external hard disk to the police and to his supervisor as soon as the theft was discovered, but that fact was not made available to higher levels of management until weeks later.
In the report, the Inspector General found that Nicholson was not notified about the theft until May 16, about two weeks later, and Congress and the affected veterans were not notified until May 22.
The stolen laptop and hard drive were recovered on June 28. So far, no one has been charged with taking the equipment from the employees home.
The FBI has informed the VA that its forensic examination of the recovered laptop and hard drive has been completed. The FBI has also indicated to VA that it has a high degree of confidence—based on the results of the forensic tests and other information gathered during the investigation—that the sensitive files were not accessed or compromised.
The IG report faulted the employee for taking the information home and then leaving it susceptible to the theft. The report also criticized the response, noting that the theft was sometimes discussed in “casual hallway meetings.”
The report also found that strained relationships between several people inside the VA delayed the response and allowed the crisis to fester. The VA secretary was finally notified about what had happened six days later, the report said, but even that was delayed while others sought out additional legal advice.
In addition, the report criticizes workers within VAs Security Operations Center, saying the officials did not interview the employee who took the data. They also did not ask about or properly conceive the scope of the missing data.
“At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating, or notifying higher level officials of the data loss reacted with indifference and little sense of urgency or responsibility,” the report said.
The report also took aim at VAs policies for protecting personal and proprietary data. The report offered several recommendations as to how to better protect this information, including background checks for employees and outside contractors as well as a better chain of command for dealing with large-scale problems.
The VA has already recalled all of its laptop computers. The recall was intended to ensure that all employees were meeting security policy requirements, such as having the correct software installed on their laptops.
On June 28, the federal Office of Management and Budget issued new security guidelines to all federal agencies, ordering officials to encrypt all data on laptops or handheld computers unless the information has been deemed “non-sensitive” by an agencys deputy director.
Editors Note: This story was updated to include comments from the chairman of the House Committee on Government Reform.