After the theft, the VA hired forensic experts to determine how many records had been compromised. The next step was to implement a series of personnel changes in the Office of Policy and Planning, where the breach occurred, Gordon Mansfield, deputy secretary of Veterans Affairs, testified Thursday before the House committee. Nicholson also pushed for all VA employees to take cyber-security awareness and privacy awareness training by the end of June.
The VA's initial response to the data loss was to mail more than 17.5 million letters advising those affected of the data loss and providing them with contact information if they had questions. The department was in the process of issuing a request for proposals to vendors capable of providing credit monitoring to victims of the theft when it announced the stolen laptop had resurfaced.
Last week, the Federal District Court in Kentucky, which is hearing one of the class action lawsuits resulting from the data theft, issued a temporary restraining order barring the government from publicizing free credit monitoring services to veterans whose personal data was stolen. This court case also placed on hold the department's plans to perform a security review of all VA laptops, Mansfield testified. The department is now awaiting guidance from the courts.
Nicholson also directed the VA to conduct an inventory of all positions requiring access to sensitive VA data by August 31 to ensure that only those employees who need such access to do their jobs have it. "And we will be developing the procedures necessary to assure that employees have an appropriate level of background check in place, and that those be updated on a regular basis," Mansfield testified. "For example, the employee from whom data was stolen had not had a background investigation for 32 years."
The Veterans Administration Inspector General, Federal Bureau of Investigation, and Montgomery County Police Department collaborated to find the stolen computer equipment. A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen, the FBI said in a statement, adding that the investigation into the theft is ongoing. The computer was turned in Wednesday by an unidentified person. An FBI spokesperson said that the person had not been charged and was not a suspect in the burglary.
The theft was the biggest of several data thefts and hacks that the federal government has endured in the past month. In May, an Internal Revenue Service employee lost an agency laptop that contained sensitive personal information on 291 workers and job applicants. In late June the Agriculture Department revealed that a hacker had broken into its network and stolen names, Social Security numbers, and photos of 26,000 employees and contractors in the Washington area. On June 22 the Federal Trade Commission said two laptops with personally identifiable info on 110 people was stolen from a locked vehicle. That same day, the Navy said it was investigating how Social Security numbers and other personal data for 28,000 sailors and family members wound up on a civilian Web site.
But none of these had the impact of the colossal score a thief had perpetrated against the VA. It was a situation that called into question the government's policies toward handling sensitive data and how well employees know, and adhere to, those policies.
"This theft of VA data has been a wake up call to all of us--at VA and in government in general," Mansfield added.