VA Data Theft Prompts Overhaul Of Lax Security Culture - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


VA Data Theft Prompts Overhaul Of Lax Security Culture

When Veterans Affairs Department Secretary James Nicholson said Thursday that the infamous laptop and hard drive stolen from a VA employee's home last month had been recovered, the announcement capped a month-long uproar over the state of data security in the federal government. Nicholson made his announcement during a House Committee on Veteran's Affairs hearing to update legislators on the breach of 26.5 million records containing sensitive information on veterans and their spouses, which took place May 3 but wasn't made public until the end of the month.

After the theft, the VA hired forensic experts to first determine how many records had been compromised. The next step was to implement a series of personnel changes in the Office of Policy and Planning, where the breach occurred, Gordon Mansfield, deputy secretary of Veterans Affairs, testified Thursday before the House committee. Nicholson also pushed for all VA employees to take cyber security awareness and privacy awareness training by the end of June.

The VA's initial response to the data loss was to mail more than 17.5 million letters advising those affected of the data loss and providing them with contact information if they had questions. The department was in the process of issuing a request for proposals to vendors capable of providing credit monitoring to victims of the theft when it announced the stolen laptop had resurfaced.

Last week, the Federal District Court in Kentucky, which is hearing one of the class action lawsuits resulting from the data theft, issued a Temporary Restraining Order barring the government from publicizing free credit monitoring services to veterans whose personal data was stolen. This court case also placed on hold the department's plans to perform a security review of all VA laptops, Mansfield testified. The department is now awaiting guidance from the courts.

Nicholson also directed the VA to conduct an inventory of all positions requiring access to sensitive VA data by August 31 to ensure that only those employees who need such access to do their jobs have it. "And we will be developing the procedures necessary to assure that employees have an appropriate level of background check in place, and that those be updated on a regular basis," Mansfield testified. "For example, the employee from whom data was stolen had not had a background investigation for 32 years."

The Veterans Administration Inspector General, Federal Bureau of Investigation, and Montgomery County Police Department collaborated to find the stolen computer equipment. A preliminary review of the equipment by computer forensic teams determined that the database remains intact and has not been accessed since it was stolen, the FBI said in a statement, adding that the investigation into the theft is ongoing. The computer was turned in Wednesday by an unidentified person. An FBI spokesperson said that the person had not been charged and was not a suspect in the burglary.

The theft was the biggest of several data thefts and hacks that the federal government has endured in the past month. In May, an Internal Revenue Service employee lost an agency laptop that contained sensitive personal information on 291 workers and job applicants. In late June the Agriculture Department revealed that a hacker had broken into its network and stolen names, Social Security numbers, and photos of 26,000 employees and contractors in the Washington area. On June 22 the Federal Trade Commission said two laptops with personally identifiable info on 110 people was stolen from a locked vehicle. That same day, the Navy said it was investigating how Social Security numbers and other personal data for 28,000 sailors and family members wound up on a civilian Web site.

But none of these had the impact of the colossal score a thief had perpetrated against the VA. It was a situation that called into question the government's policies toward handling sensitive data and how well employees know, and adhere to, those policies.

"This theft of VA data has been a wake up call to all of us--at VA and in government in general," Mansfield added.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll