Virginia, still managing its way through a troubled outsourcing deal, has a second IT mess on its hands. The state revealed that an unencrypted flash drive containing personal information on more than 100,000 adult education students has been lost.
The flash drive, which was lost after being given to a researcher at Virginia Tech for use in federally mandated research, contained the names, social security numbers, and birth dates of students who used adult education and literacy programs, as well as those who earned a high school equivalency certificate.
So far, there's no indication that the data on the drive has been used illegally or otherwise been compromised. "I know that I speak for all employees in expressing regret over the loss of the flash drive," Virginia superintendent of public instruction Pat Wright said in a statement. Virginia's department of education is committed to assisting and "mitigating any risk" to those affected, Wright added.
An announcement was mailed to more than 77,000 former students whose addresses were known, advising them to monitor their financial accounts and to place fraud alerts on their credit files. The state didn't have mailing addresses for 25,000 other students.
The possible data breach comes as auditors continue their investigation into problems with the state's $2.3 billion IT outsourcing deal with Northrop Grumman. Former state CIO Lemuel Stewart was fired earlier this year when he attempted to deny a $14 million payment to the company.
A Virginia commission has issued a 131-page report finding that, despite some progress, the Northrup Grumman deal has created barely a third of the jobs expected and that the vendor missed a July 2009 completion deadline so badly that only 54% of scoped projects had been completed as of last month. Virginia's poor contract management and governance were cited for contributing to the problems.
Other problems identified by the report: In one case, subcontractor Verizon attempted to work on the state's enterprise network during business hours without advance notice. In another, it took a prison 18 hours to regain inbound phone service after the problem was given low priority based on the number of employees rather than the number of inmates affected. Agencies have complained that Northrop Grumman hasn't adequately backed up data, while Northrop Grumman and the state disagree over the way that e-mail gets archived. And service calls are sometimes routed to the wrong technician.
The outsourcing deal is under investigation by the Virginia legislature. In August, Northrop Grumman submitted a plan to overhaul the deal.
Tom Shelman, VP of Northrop Grumman Information Systems' civil systems division, in a letter to auditors, pointed to "significant successes in recent months." In a separate letter to the commission, state CIO George Coulter noted that changes to the way Virginia works with Northrop Grumman are already underway.
As a result of the problems, Virginia governor Tim Kaine has made the case that the state's CIO should report to him, a position he repeated in a statement agreeing with the commission's findings.
Read InformationWeek's first-ever analysis of top CIOs in federal, state, and local government, and how they're embracing new expectations. Download the report here (registration required).