July 12, 2006 4:46 PM PDT

Veterans Affairs faulted in data theft

In a blistering report, the inspector general's office in the Department of Veterans Affairs said a series of missteps led to theft of hardware containing data on millions of veterans and held up response after the fact.

The report, published Tuesday, blames agency officials for acting "with indifference and little sense of urgency" after the loss of the computer hardware in a house robbery. This, in part, caused the department's slow response to the breach. The theft occurred on May 3, but the secretary of Veterans Affairs was not notified until May 16, and Congress and veterans did not hear of it until May 22. (Download a PDF of the report.)

The laptop and an external hard disk drive, which actually contained sensitive information on about 26 million veterans, were recovered on June 28. The FBI and the Department of Veterans Affairs determined with a high degree of confidence that the data on the external drive was not compromised.

Veterans Affairs employees at all levels get a scathing review in the report, as do the agency's practices. Investigators found a "patchwork of policies," none of which adequately safeguarded information at the department. Furthermore, no rule barred the storing of information on personal hardware and taking it from the worksite.

Still, the data analyst who took the data home to work on a personal project "used extremely poor judgment" and was not authorized to take the data, the report said. After his house was burglarized and the hardware stolen, he did, however, quickly report the theft, including the fact that there was sensitive data on the drive, the report said.

Following the notification, the department dragged its feet over its response, which was inadequate, according to the report. The notification was mired in bureaucracy and even some infighting at the department, with people passing it from one desk to another, the report said.

"At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating or notifying higher level officials of the data loss reacted with indifference and little sense of urgency or responsibility," according to the report.

For example, upon receiving notification of the theft, the department's deputy assistant secretary for policy, Michael McLendon, decided to rewrite it, stating it was inadequate, according to the report. In fact, the investigators found that McLendon wanted to rewrite it to falsely downplay the risk of the misuse of the stolen data. The data could be read without special software, contrary to McLendon's assertion, investigators found.

New measures implemented by the Department of Veterans Affairs since the incident are a positive step, according to the report. But more needs to be done to ensure protected information is adequately safeguarded, it said. Improvements are needed particularly in security training, sensitivity levels and work with contractors, the report said.

The unnamed data analyst took the data home to work on a "fascination project" to test the accuracy of a 2001 survey of veterans. He has reportedly been fired, but is fighting his termination. McLendon and Dennis Duffy, the acting head of the division the analyst worked in, have reportedly resigned or have been put on administrative leave.

See more CNET content tagged:
U.S. Department of Veterans Affairs, veteran, theft, department, notification

28 comments

Join the conversation!
Add your comment
And this surprises who?
If you have dealt with the VA, why would this report surprise you in any way?
Posted by tsteele93 (7 comments )
Reply Link Flag
You got that right
Nothing surprises me about this situation. It's more
<a class="jive-link-external" href="http://www.techknowcafe.com/content/view/551/43/" target="_newWindow">http://www.techknowcafe.com/content/view/551/43/</a>
incredible that people have any faith in these government branches at all.
Posted by (156 comments )
Link Flag
And this surprises who?
If you have dealt with the VA, why would this report surprise you in any way?
Posted by tsteele93 (7 comments )
Reply Link Flag
You got that right
Nothing surprises me about this situation. It's more
<a class="jive-link-external" href="http://www.techknowcafe.com/content/view/551/43/" target="_newWindow">http://www.techknowcafe.com/content/view/551/43/</a>
incredible that people have any faith in these government branches at all.
Posted by (156 comments )
Link Flag
Big Government is Bad Thing
This only reinforces the argument to downsize the federal government, as well as growing local and state governments. Moreover, these bureaucrats don't know s**t from shinola, much less best practices in computer and physical security.
Posted by WJeansonne (480 comments )
Reply Link Flag
downsizeDC
You are right, and there is something you can do about it. Goto downsizeDC.com (or .org) and volunteer. Be involved.
Posted by jomac8 (2 comments )
Link Flag
Accoutability
Government agencies like the VA need to be as accountable as say Government asks the private sector to be <a class="jive-link-external" href="http://www.iwantmyess.com/?p=79" target="_newWindow">http://www.iwantmyess.com/?p=79</a>

Would a hospital who leaked ALL of its patient info still be in business without significant reprocussions?
Posted by marileev (292 comments )
Link Flag
Big Government is Bad Thing
This only reinforces the argument to downsize the federal government, as well as growing local and state governments. Moreover, these bureaucrats don't know s**t from shinola, much less best practices in computer and physical security.
Posted by WJeansonne (480 comments )
Reply Link Flag
downsizeDC
You are right, and there is something you can do about it. Goto downsizeDC.com (or .org) and volunteer. Be involved.
Posted by jomac8 (2 comments )
Link Flag
Accoutability
Government agencies like the VA need to be as accountable as say Government asks the private sector to be <a class="jive-link-external" href="http://www.iwantmyess.com/?p=79" target="_newWindow">http://www.iwantmyess.com/?p=79</a>

Would a hospital who leaked ALL of its patient info still be in business without significant reprocussions?
Posted by marileev (292 comments )
Link Flag
And the thief?...
...is not a party in this?

Lot's of blame to spread around here. Er, who -was- that thief responsible for "breaking and entering", anyway?
Posted by J. Warren (17 comments )
Reply Link Flag
And the thief?...
...is not a party in this?

Lot's of blame to spread around here. Er, who -was- that thief responsible for "breaking and entering", anyway?
Posted by J. Warren (17 comments )
Reply Link Flag
Funny-Weitech released Combodock
The new ComboDock lets investigators copy data from 3.5-inch hard drives without writing any data back to the original drive.

So how can the lying bums in Washington say the data was not retrieved??
Posted by steve96 (2 comments )
Reply Link Flag
Same old same old
Same way they tell the rest of the lies that are the stock-in-trade of all bureaucrats and politicians. We unhappy few know how full-of-it they are, but the vast baa-ing flocks will swallow it wholesale and vote the bastards back in.
Posted by davearonson (35 comments )
Link Flag
Funny-Weitech released Combodock
The new ComboDock lets investigators copy data from 3.5-inch hard drives without writing any data back to the original drive.

So how can the lying bums in Washington say the data was not retrieved??
Posted by steve96 (2 comments )
Reply Link Flag
Same old same old
Same way they tell the rest of the lies that are the stock-in-trade of all bureaucrats and politicians. We unhappy few know how full-of-it they are, but the vast baa-ing flocks will swallow it wholesale and vote the bastards back in.
Posted by davearonson (35 comments )
Link Flag
it's still criminal
Eventually I hope our government makes it a criminal offense to copy a database of private data onto a laptop. These databases need to be secured in a central vault that can only be accessed a) while in the building and b) with serious security clearance.

For those who want to conduct statistical analysis or other innocuous tests, a subset of the complete database that does not include personal information should be made available to employees. NO ONE needs SS numbers to conduct statistical experiments, as this guy was doing.
Posted by GTOfan (33 comments )
Reply Link Flag
Be proactive...don't wait for someone else to fix things
Exactly! I agree...people as well as computers nowadays are gathering more information than they need about us and then irresponsibly placing that information into huge unsecured and even mobile devices to maximize opportunity for theft. Not only should they make it a criminal offense, companies AND our government should start taking some security measures themselves to show some action.

People should be educated about the different ways they are vulnerable <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article1.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article1.htm</a> and also learn how to protect themselves against such vulnerabilities. <a class="jive-link-external" href="http://www.essentialsecurity.com/products.htm" target="_newWindow">http://www.essentialsecurity.com/products.htm</a>
Posted by mveronica (40 comments )
Link Flag
it's still criminal
Eventually I hope our government makes it a criminal offense to copy a database of private data onto a laptop. These databases need to be secured in a central vault that can only be accessed a) while in the building and b) with serious security clearance.

For those who want to conduct statistical analysis or other innocuous tests, a subset of the complete database that does not include personal information should be made available to employees. NO ONE needs SS numbers to conduct statistical experiments, as this guy was doing.
Posted by GTOfan (33 comments )
Reply Link Flag
Be proactive...don't wait for someone else to fix things
Exactly! I agree...people as well as computers nowadays are gathering more information than they need about us and then irresponsibly placing that information into huge unsecured and even mobile devices to maximize opportunity for theft. Not only should they make it a criminal offense, companies AND our government should start taking some security measures themselves to show some action.

People should be educated about the different ways they are vulnerable <a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article1.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article1.htm</a> and also learn how to protect themselves against such vulnerabilities. <a class="jive-link-external" href="http://www.essentialsecurity.com/products.htm" target="_newWindow">http://www.essentialsecurity.com/products.htm</a>
Posted by mveronica (40 comments )
Link Flag
Va Data "loss"
With the height of the illegal immigration debate occuring and the government granting amnesty to illegal aliens for fraudulently using ssn's I wouldn't be surprised if LaRaza, Mecha or a hundred other groups have our ssn's and are giving them to illegal aliens to expedite their legalization compliments of the defacto Mexican government in DC. They will sell out even veterans to pander to their illegal alien brothers and sisters.
Posted by mrmiata7 (11 comments )
Reply Link Flag
Va Data "loss"
With the height of the illegal immigration debate occuring and the government granting amnesty to illegal aliens for fraudulently using ssn's I wouldn't be surprised if LaRaza, Mecha or a hundred other groups have our ssn's and are giving them to illegal aliens to expedite their legalization compliments of the defacto Mexican government in DC. They will sell out even veterans to pander to their illegal alien brothers and sisters.
Posted by mrmiata7 (11 comments )
Reply Link Flag
getting proactive
The big point here is that this incident is a catalyst for proving the necessity for protecting mobile information, be it on a laptop, USB device or email. Data in transit is always at risk of being intercepted and stolen, and if that is important to you, then you and your agency/company must be proactice in protection valuable information. Easy solution are available and often free to try, like Taceo. <a class="jive-link-external" href="http://www.essentialsecurity.com/products.htm" target="_newWindow">http://www.essentialsecurity.com/products.htm</a>
Posted by 209979377489953107664053243186 (71 comments )
Reply Link Flag
getting proactive
The big point here is that this incident is a catalyst for proving the necessity for protecting mobile information, be it on a laptop, USB device or email. Data in transit is always at risk of being intercepted and stolen, and if that is important to you, then you and your agency/company must be proactice in protection valuable information. Easy solution are available and often free to try, like Taceo. <a class="jive-link-external" href="http://www.essentialsecurity.com/products.htm" target="_newWindow">http://www.essentialsecurity.com/products.htm</a>
Posted by 209979377489953107664053243186 (71 comments )
Reply Link Flag
False sense of security
Anyone noticed the repeated mantra of "accessed" and "compromised" when referring to the data on recovered pc's/laptops?? That's because the authorities can't say the data wasn't forensically copied to another device for analysis at the thief's leisure. Meanwhile, John/Jane Doe are given a completely false sense of security!! The VA then revoked the free credit monitoring offer.
Posted by homer_d (2 comments )
Reply Link Flag
False sense of security
Anyone noticed the repeated mantra of "accessed" and "compromised" when referring to the data on recovered pc's/laptops?? That's because the authorities can't say the data wasn't forensically copied to another device for analysis at the thief's leisure. Meanwhile, John/Jane Doe are given a completely false sense of security!! The VA then revoked the free credit monitoring offer.
Posted by homer_d (2 comments )
Reply Link Flag
veteran info theft no accident
Has anyone considered that somebody 'high up' on the political food chain wanted the information without leaving a 'paper trai' to them? Knowing the whereabouts of every able-bodied ex-GI would be of great knowledge to someone who anticipates a situation of martial law in the not-to-distant future. The coincidence that this worker just happened to take the data home and just happened to have his computer stolen is a little more than simply far-fetched. It's ludicrous.
If we put all the pieces in place, the wire-tapping, the attempted take-over (not decided yet?) of each State's National Guard, the Federal ID, the preservation of Internment Camps, the Fence on the Mexican border (us in or them out), the requisite passport to leave or enter (try getting one lately), the Shadow Budget (how much is being spent inside America?), and the promise of bigger future attacks, all spell disaster on the horizon. It's as if these people in our current Administration know something we don't and are preparing to NOT have to step out of office in 08. It is interesting that pulonium 210 is commonly used as a trigger for nuclear weapons, among other things. Is something coming? Do they have advance warning? What is really going on? Should we open our eyes or continue to play video games.?
Posted by RobinSzcz (5 comments )
Reply Link Flag
veteran info theft no accident
Has anyone considered that somebody 'high up' on the political food chain wanted the information without leaving a 'paper trai' to them? Knowing the whereabouts of every able-bodied ex-GI would be of great knowledge to someone who anticipates a situation of martial law in the not-to-distant future. The coincidence that this worker just happened to take the data home and just happened to have his computer stolen is a little more than simply far-fetched. It's ludicrous.
If we put all the pieces in place, the wire-tapping, the attempted take-over (not decided yet?) of each State's National Guard, the Federal ID, the preservation of Internment Camps, the Fence on the Mexican border (us in or them out), the requisite passport to leave or enter (try getting one lately), the Shadow Budget (how much is being spent inside America?), and the promise of bigger future attacks, all spell disaster on the horizon. It's as if these people in our current Administration know something we don't and are preparing to NOT have to step out of office in 08. It is interesting that pulonium 210 is commonly used as a trigger for nuclear weapons, among other things. Is something coming? Do they have advance warning? What is really going on? Should we open our eyes or continue to play video games.?
Posted by RobinSzcz (5 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.