VA Had Many Security Warnings Before Its 26.5 Million-Person Breach - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

12:45 AM

VA Had Many Security Warnings Before Its 26.5 Million-Person Breach

The organization didn't take the risk seriously enough and broke with security best practices.

Much of last week's howling outrage over the theft of a laptop containing personal data on millions of veterans and spouses focused on the Veterans Affairs Department's poor IT security record. The political grandstanding and indignation last week were on the mark, but we should be long past the need to chastise organizations for poor security practices. It's time for execution and enforcement.

A VA analyst took home electronic data from the office to do after-hours work on his personal computer. The data included names, Social Security numbers, and dates of birth on 26.5 million people. The laptop and an external hard drive the analyst was using, along with the data, were stolen in a May 3 burglary.

The VA ran afoul of standard security practices on many levels. The analyst was authorized to access the sensitive information, which was required for a policy-related project, but not to remove it from the office. Yet that policy was little known or largely ignored. The unidentified analyst had been taking data home as part of his work routine since 2003, unbeknownst to his supervisors, the VA inspector general's investigation found.

VA Secretary James Nicholson has plenty of company in the

VA Secretary James Nicholson has plenty of company in the "mad as hell" club

Photo by AP Photo/Charles Dharapak
What's more, the VA has a policy of encrypting sensitive data to mitigate damage in the event of a breach, but the missing data wasn't encrypted. And top brass wasn't informed until two weeks after the theft, VA Secretary James Nicholson said last week.

This confluence of sloppy security practices opened the floodgates last week on the VA and Nicholson, who at one point had to excuse himself from the shellacking he was taking at a House hearing to endure another one in the Senate. Nicholson vacillated between taking responsibility for the data breach and expressing anger. "As a veteran myself, I have to tell you I'm outraged. Frankly, I'm mad as hell," Nicholson told the House Committee on Veterans' Affairs. He won't be the only one when taxpayers find out that the gaffe will cost them at least $100 million to notify affected veterans and provide them with credit-checking services.

With the VA having done wrong by 26.5 million veterans and their relatives, members of Congress were in speech-making mode last week. Sen. Larry Craig, R-Idaho, wondered whether the VA really needs to retain all the data it has. "But I also know that when Americans contact their government or veterans file a claim, they expect in this day and age that [the government] will have their information," said Craig, chairman of the Senate's Committee on Veterans' Affairs.

"I hope what took place at the VA a few weeks ago is only an isolated incident of bad judgment by a dedicated employee seeking to do a little work at home on his own time," Craig said. "But we must not ignore the fact that at this time getting that information to his or her home was very easy. That cannot be tolerated."

That's really what this breach is all about: Companies and organizations can't rely too much on the good judgment of employees or their ability to follow policies. They need security systems that back them up when judgment and policies fail. As data is increasingly mobile--laptops, memory sticks, personal devices like iPods--the risk of loss is too great to ignore.

VA Ignored Risks
The VA failure is the largest since last summer's hack of credit card processor CardSystems, according to the Privacy Rights Clearinghouse, though that was a clear case of targeted data theft. Investigators so far don't suspect the VA loss was anything but a home burglary. Yet what's stunning about the VA case is the amount of data that one person could access and remove without requiring encryption or interacting with a supervisor. A March blunder by Fidelity Investments, in which an employee's laptop containing the names, addresses, Social Security numbers, birth dates, and other employment-related information of 196,000 participants in Hewlett-Packard retirement plans was stolen, pales in comparison with the VA mess.

The VA hadn't taken the risks related to mobile data and data security seriously enough, according to the VA's inspector general and the Government Accountability Office, which for years has criticized the agency's IT security policies and practices. "Our Federal Information Security Management Act reviews have identified significant information security vulnerabilities since fiscal 2001 that place VA at risk of denial-of-service attacks, disruption of mission-critical systems, and unauthorized access to sensitive data," George Opfer, inspector general for the Veterans Affairs Department, testified last week.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll