VA Secretary Comes Under Fire At House And Senate Data Theft Hearings - InformationWeek
04:54 PM
[Dark Reading Crash Course] Finding & Fixing Application Security Vulnerabilitie
Sep 14, 2017
Hear from a top applications security expert as he discusses key practices for scanning and securi ...Read More>>

VA Secretary Comes Under Fire At House And Senate Data Theft Hearings

The data breach will cost taxpayers $100 million to notify veterans that their information might be compromised and to offer credit protection services.

Veterans Affairs Department Secretary James Nicholson endured a barrage of questioning and criticism from two different Congressional hearings Thursday morning regarding the theft of a VA laptop and hard drive containing sensitive data for up to 26.5 million veterans and their spouses.

Over the course of back-to-back grillings by the House Committee on Veterans Affairs and then the Senate Committee on Veterans Affairs, Nicholson was forced to endure repeated reminders of his department's poor IT security track record, much political grandstanding by Congressional leaders, and a call for his resignation.

The hearings focused on the fallout of the May 3 data theft, after a VA analyst took his laptop home to do some after-hours work. The analyst was authorized to access sensitive information about veterans, including Social Security numbers and dates of birth, which were required for a policy-related project he had been assigned. The analyst wasn't, however, authorized to remove VA data from the VA's offices, even though he admitted to having done so as part of his work routine since 2003. His home was burglarized, and the laptop and an external hard drive went missing.

To make the situation worse, the stolen data wasn't encrypted, even though Nicholson claimed Thursday that the VA has a policy of encrypting sensitive data to mitigate the damage of a data breach. And the VA Inspector General's subsequent investigation indicates that the analyst's supervisors weren't aware that the analyst had removed the data from VA offices.

Nicholson's responses to questions vacillated between taking responsibility for the data breach and expressing anger that he wasn't informed of the breach until two weeks after it occurred. "As a veteran myself, I have to tell you I'm outraged. Frankly, I'm mad as hell," Nicholson testified before the House Committee on Veterans Affairs. He won't be the only one when taxpayers find out that the data breach is expected to cost them at least $100 million to notify affected veterans and provide them with credit-checking services.

Nicholson also stated that his department has begun a "relentless investigation of its policies on information security." Still, it was revealed during the House hearing that the department doesn't even know how many of its employees telecommute.

The VA's Inspector General and the Government Accountability Office have for years criticized the VA regarding its IT security policies and practices. "We are also reviewing how policies are disseminated to VA employees, whether VA employees are aware of the policies, and whether VA procedures for identifying, reporting and taking action when data has been improperly accessed or improperly used are adequate," George Opfer, inspector general for the Veterans Affairs Department testified Thursday before a joint hearing held by the Senate Committee on Veterans Affairs and the Senate Committee on Homeland Security and Governmental Affairs.

The VA Inspector General's office issued a fiscal 2001 report indicating weaknesses in VA information security controls. "Our Federal Information Security Management Act reviews have identified significant information security vulnerabilities since FY 2001 that place VA at risk of denial of service attacks, disruption of mission-critical systems, and unauthorized access to sensitive data," Opfer testified Thursday.

An inspector general's report from fiscal 2004 included 16 recommendations for the VA to improve the security of its IT operations, including centralizing IT security programs, implementing an effective patch management program, and addressing unauthorized access and misuse of sensitive information and data that the IG's office discovered during its evaluation. To date, none of the 16 recommendations have been addressed, Opfer testified.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll