VA Had Many Security Warnings Before Its 26.5 Million-Person Breach
The organization didn't take the risk seriously enough and broke with security best practices.
Much of last week's howling outrage over the theft of a laptop containing personal data on millions of veterans and spouses focused on the Veterans Affairs Department's poor IT security record. The political grandstanding and indignation last week were on the mark, but we should be long past the need to chastise organizations for poor security practices. It's time for execution and enforcement.
A VA analyst took home electronic data from the office to do after-hours work on his personal computer. The data included names, Social Security numbers, and dates of birth on 26.5 million people. The laptop and an external hard drive the analyst was using, along with the data, were stolen in a May 3 burglary.
The VA ran afoul of standard security practices on many levels. The analyst was authorized to access the sensitive information, which was required for a policy-related project, but not to remove it from the office. Yet that policy was little known or largely ignored. The unidentified analyst had been taking data home as part of his work routine since 2003, unbeknownst to his supervisors, the VA inspector general's investigation found.
VA Secretary James Nicholson has plenty of company in the "mad as hell" club
Photo by AP Photo/Charles Dharapak
What's more, the VA has a policy of encrypting sensitive data to mitigate damage in the event of a breach, but the missing data wasn't encrypted. And top brass wasn't informed until two weeks after the theft, VA Secretary James Nicholson said last week.
This confluence of sloppy security practices opened the floodgates last week on the VA and Nicholson, who at one point had to excuse himself from the shellacking he was taking at a House hearing to endure another one in the Senate. Nicholson vacillated between taking responsibility for the data breach and expressing anger. "As a veteran myself, I have to tell you I'm outraged. Frankly, I'm mad as hell," Nicholson told the House Committee on Veterans' Affairs. He won't be the only one when taxpayers find out that the gaffe will cost them at least $100 million to notify affected veterans and provide them with credit-checking services.
With the VA having done wrong by 26.5 million veterans and their relatives, members of Congress were in speech-making mode last week. Sen. Larry Craig, R-Idaho, wondered whether the VA really needs to retain all the data it has. "But I also know that when Americans contact their government or veterans file a claim, they expect in this day and age that [the government] will have their information," said Craig, chairman of the Senate's Committee on Veterans' Affairs.
"I hope what took place at the VA a few weeks ago is only an isolated incident of bad judgment by a dedicated employee seeking to do a little work at home on his own time," Craig said. "But we must not ignore the fact that at this time getting that information to his or her home was very easy. That cannot be tolerated."
That's really what this breach is all about: Companies and organizations can't rely too much on the good judgment of employees or their ability to follow policies. They need security systems that back them up when judgment and policies fail. As data is increasingly mobile--laptops, memory sticks, personal devices like iPods--the risk of loss is too great to ignore.
VA Ignored Risks
The VA failure is the largest since last summer's hack of credit card processor CardSystems, according to the Privacy Rights Clearinghouse, though that was a clear case of targeted data theft. Investigators so far don't suspect the VA loss was anything but a home burglary. Yet what's stunning about the VA case is the amount of data that one person could access and remove without requiring encryption or interacting with a supervisor. A March blunder by Fidelity Investments, in which an employee's laptop containing the names, addresses, Social Security numbers, birth dates, and other employment-related information of 196,000 participants in Hewlett-Packard retirement plans was stolen, pales in comparison with the VA mess.
The VA hadn't taken the risks related to mobile data and data security seriously enough, according to the VA's inspector general and the Government Accountability Office, which for years has criticized the agency's IT security policies and practices. "Our Federal Information Security Management Act reviews have identified significant information security vulnerabilities since fiscal 2001 that place VA at risk of denial-of-service attacks, disruption of mission-critical systems, and unauthorized access to sensitive data," George Opfer, inspector general for the Veterans Affairs Department, testified last week.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.