VA Secretary Comes Under Fire At House And Senate Data Theft Hearings - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

VA Secretary Comes Under Fire At House And Senate Data Theft Hearings

The data breach will cost taxpayers $100 million to notify veterans that their information might be compromised and to offer credit protection services.

Veterans Affairs Department Secretary James Nicholson endured a barrage of questioning and criticism from two different Congressional hearings Thursday morning regarding the theft of a VA laptop and hard drive containing sensitive data for up to 26.5 million veterans and their spouses.

Over the course of back-to-back grillings by the House Committee on Veterans Affairs and then the Senate Committee on Veterans Affairs, Nicholson was forced to endure repeated reminders of his department's poor IT security track record, much political grandstanding by Congressional leaders, and a call for his resignation.

The hearings focused on the fallout of the May 3 data theft, after a VA analyst took his laptop home to do some after-hours work. The analyst was authorized to access sensitive information about veterans, including Social Security numbers and dates of birth, which were required for a policy-related project he had been assigned. The analyst wasn't, however, authorized to remove VA data from the VA's offices, even though he admitted to having done so as part of his work routine since 2003. His home was burglarized, and the laptop and an external hard drive went missing.

To make the situation worse, the stolen data wasn't encrypted, even though Nicholson claimed Thursday that the VA has a policy of encrypting sensitive data to mitigate the damage of a data breach. And the VA Inspector General's subsequent investigation indicates that the analyst's supervisors weren't aware that the analyst had removed the data from VA offices.

Nicholson's responses to questions vacillated between taking responsibility for the data breach and expressing anger that he wasn't informed of the breach until two weeks after it occurred. "As a veteran myself, I have to tell you I'm outraged. Frankly, I'm mad as hell," Nicholson testified before the House Committee on Veterans Affairs. He won't be the only one when taxpayers find out that the data breach is expected to cost them at least $100 million to notify affected veterans and provide them with credit-checking services.

Nicholson also stated that his department has begun a "relentless investigation of its policies on information security." Still, it was revealed during the House hearing that the department doesn't even know how many of its employees telecommute.

The VA's Inspector General and the Government Accountability Office have for years criticized the VA regarding its IT security policies and practices. "We are also reviewing how policies are disseminated to VA employees, whether VA employees are aware of the policies, and whether VA procedures for identifying, reporting and taking action when data has been improperly accessed or improperly used are adequate," George Opfer, inspector general for the Veterans Affairs Department testified Thursday before a joint hearing held by the Senate Committee on Veterans Affairs and the Senate Committee on Homeland Security and Governmental Affairs.

The VA Inspector General's office issued a fiscal 2001 report indicating weaknesses in VA information security controls. "Our Federal Information Security Management Act reviews have identified significant information security vulnerabilities since FY 2001 that place VA at risk of denial of service attacks, disruption of mission-critical systems, and unauthorized access to sensitive data," Opfer testified Thursday.

An inspector general's report from fiscal 2004 included 16 recommendations for the VA to improve the security of its IT operations, including centralizing IT security programs, implementing an effective patch management program, and addressing unauthorized access and misuse of sensitive information and data that the IG's office discovered during its evaluation. To date, none of the 16 recommendations have been addressed, Opfer testified.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
10 RPA Vendors to Watch
Jessica Davis, Senior Editor, Enterprise Apps,  8/20/2019
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll