The hearing before the House Committee on Veteran Affairs on Wednesday was only the latest probe into the massive data breach when a VA analyst took home a government laptop and external drive, then lost them both -- and the 26.5 million veteran and military identities on them -- in a home burglary.
The GAO's Linda Koontz, director of information management issues at the oversight agency, said a repeat of the May debacle was inevitable unless changes were made.
"Without an established and implemented security program, the department will continue to have major challenges in protecting its information and information system from security breaches as the one it recently experienced," she said in testimony before the committee.
She also rattled off a grocery list of long-standing information security problems at the VA, ranging from inadequate physical security of computer facilities to lax control of access authority by VA employees.
The VA's assistant inspector general for auditing, Michael Staley, also slammed the agency. He spelled out 17 security issues at the VA, and reminded Congress that his group had taken the VA to task every year since 2001 over sloppy security.
"We have reported that VA's program and financial data are at risk due to serious problems related to VA's control and oversight of access to its information systems," Staley said in his testimony. "By not controlling and monitoring employee access, not restricting users to only need-to-know data, and not timely terminating accounts upon employee departure, VA has not mitigated the potential risk."
The chairman of the committee, Steve Buyer (R-Ind.), was just as tough on the VA.
"VA's internal controls and information program security have been grossly inadequate for years," said Buyer. "Both the VA IG [Inspector General] and the GAO have indicated VA's decentralized management and lack of accountability as major shortcomings, leading to sixteen recurring, unmitigated vulnerabilities over the past five to eight years."