Veterans Affairs faulted in data theft

In a blistering report, the inspector general's office in the Department of Veterans Affairs said a series of missteps led to theft of hardware containing data on millions of veterans and held up response after the fact.

The report, published Tuesday, blames agency officials for acting "with indifference and little sense of urgency" after the loss of the computer hardware in a house robbery. This, in part, caused the department's slow response to the breach. The theft occurred on May 3, but the secretary of Veterans Affairs was not notified until May 16, and Congress and veterans did not hear of it until May 22. (Download a PDF of the report.)

The laptop and an external hard disk drive, which actually contained sensitive information on about 26 million veterans, were recovered on June 28. The FBI and the Department of Veterans Affairs determined with a high degree of confidence that the data on the external drive was not compromised.

Veterans Affairs employees at all levels get a scathing review in the report, as do the agency's practices. Investigators found a "patchwork of policies," none of which adequately safeguarded information at the department. Furthermore, no rule barred the storing of information on personal hardware and taking it from the worksite.

Still, the data analyst who took the data home to work on a personal project "used extremely poor judgment" and was not authorized to take the data, the report said. After his house was burglarized and the hardware stolen, he did, however, quickly report the theft, including the fact that there was sensitive data on the drive, the report said.

Following the notification, the department dragged its feet over its response, which was inadequate, according to the report. The notification was mired in bureaucracy and even some infighting at the department, with people passing it from one desk to another, the report said.

"At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating or notifying higher level officials of the data loss reacted with indifference and little sense of urgency or responsibility," according to the report.

For example, upon receiving notification of the theft, the department's deputy assistant secretary for policy, Michael McLendon, decided to rewrite it, stating it was inadequate, according to the report. In fact, the investigators found that McLendon wanted to rewrite it to falsely downplay the risk of the misuse of the stolen data. The data could be read without special software, contrary to McLendon's assertion, investigators found.

New measures implemented by the Department of Veterans Affairs since the incident are a positive step, according to the report. But more needs to be done to ensure protected information is adequately safeguarded, it said. Improvements are needed particularly in security training, sensitivity levels and work with contractors, the report said.

The unnamed data analyst took the data home to work on a "fascination project" to test the accuracy of a 2001 survey of veterans. He has reportedly been fired, but is fighting his termination. McLendon and Dennis Duffy, the acting head of the division the analyst worked in, have reportedly resigned or have been put on administrative leave.

[tsteele93]

And this surprises who?

If you have dealt with the VA, why would this report surprise you in any way?

[tsteele93]

And this surprises who?

If you have dealt with the VA, why would this report surprise you in any way?

[WJeansonne]

Big Government is Bad Thing

This only reinforces the argument to downsize the federal government, as well as growing local and state governments. Moreover, these bureaucrats don't know s**t from shinola, much less best practices in computer and physical security.

[WJeansonne]

Big Government is Bad Thing

This only reinforces the argument to downsize the federal government, as well as growing local and state governments. Moreover, these bureaucrats don't know s**t from shinola, much less best practices in computer and physical security.

[J. Warren]

And the thief?...

...is not a party in this?

Lot's of blame to spread around here. Er, who -was- that thief responsible for "breaking and entering", anyway?

[J. Warren]

And the thief?...

...is not a party in this?

Lot's of blame to spread around here. Er, who -was- that thief responsible for "breaking and entering", anyway?

[steve96]

Funny-Weitech released Combodock

The new ComboDock lets investigators copy data from 3.5-inch hard drives without writing any data back to the original drive.

So how can the lying bums in Washington say the data was not retrieved??

[steve96]

Funny-Weitech released Combodock

The new ComboDock lets investigators copy data from 3.5-inch hard drives without writing any data back to the original drive.

So how can the lying bums in Washington say the data was not retrieved??

[GTOfan]

it's still criminal

Eventually I hope our government makes it a criminal offense to copy a database of private data onto a laptop. These databases need to be secured in a central vault that can only be accessed a) while in the building and b) with serious security clearance.

For those who want to conduct statistical analysis or other innocuous tests, a subset of the complete database that does not include personal information should be made available to employees. NO ONE needs SS numbers to conduct statistical experiments, as this guy was doing.

[GTOfan]

it's still criminal

Eventually I hope our government makes it a criminal offense to copy a database of private data onto a laptop. These databases need to be secured in a central vault that can only be accessed a) while in the building and b) with serious security clearance.

For those who want to conduct statistical analysis or other innocuous tests, a subset of the complete database that does not include personal information should be made available to employees. NO ONE needs SS numbers to conduct statistical experiments, as this guy was doing.

[mrmiata7]

Va Data "loss"

With the height of the illegal immigration debate occuring and the government granting amnesty to illegal aliens for fraudulently using ssn's I wouldn't be surprised if LaRaza, Mecha or a hundred other groups have our ssn's and are giving them to illegal aliens to expedite their legalization compliments of the defacto Mexican government in DC. They will sell out even veterans to pander to their illegal alien brothers and sisters.

[mrmiata7]

Va Data "loss"

With the height of the illegal immigration debate occuring and the government granting amnesty to illegal aliens for fraudulently using ssn's I wouldn't be surprised if LaRaza, Mecha or a hundred other groups have our ssn's and are giving them to illegal aliens to expedite their legalization compliments of the defacto Mexican government in DC. They will sell out even veterans to pander to their illegal alien brothers and sisters.

[209979377489953107664053243186]

getting proactive

The big point here is that this incident is a catalyst for proving the necessity for protecting mobile information, be it on a laptop, USB device or email. Data in transit is always at risk of being intercepted and stolen, and if that is important to you, then you and your agency/company must be proactice in protection valuable information. Easy solution are available and often free to try, like Taceo. http://www.essentialsecurity.com/products.htm

[209979377489953107664053243186]

getting proactive

The big point here is that this incident is a catalyst for proving the necessity for protecting mobile information, be it on a laptop, USB device or email. Data in transit is always at risk of being intercepted and stolen, and if that is important to you, then you and your agency/company must be proactice in protection valuable information. Easy solution are available and often free to try, like Taceo. http://www.essentialsecurity.com/products.htm

[homer_d]

False sense of security

Anyone noticed the repeated mantra of "accessed" and "compromised" when referring to the data on recovered pc's/laptops?? That's because the authorities can't say the data wasn't forensically copied to another device for analysis at the thief's leisure. Meanwhile, John/Jane Doe are given a completely false sense of security!! The VA then revoked the free credit monitoring offer.

[homer_d]

False sense of security

Anyone noticed the repeated mantra of "accessed" and "compromised" when referring to the data on recovered pc's/laptops?? That's because the authorities can't say the data wasn't forensically copied to another device for analysis at the thief's leisure. Meanwhile, John/Jane Doe are given a completely false sense of security!! The VA then revoked the free credit monitoring offer.

[RobinSzcz]

veteran info theft no accident

Has anyone considered that somebody 'high up' on the political food chain wanted the information without leaving a 'paper trai' to them? Knowing the whereabouts of every able-bodied ex-GI would be of great knowledge to someone who anticipates a situation of martial law in the not-to-distant future. The coincidence that this worker just happened to take the data home and just happened to have his computer stolen is a little more than simply far-fetched. It's ludicrous.
If we put all the pieces in place, the wire-tapping, the attempted take-over (not decided yet?) of each State's National Guard, the Federal ID, the preservation of Internment Camps, the Fence on the Mexican border (us in or them out), the requisite passport to leave or enter (try getting one lately), the Shadow Budget (how much is being spent inside America?), and the promise of bigger future attacks, all spell disaster on the horizon. It's as if these people in our current Administration know something we don't and are preparing to NOT have to step out of office in 08. It is interesting that pulonium 210 is commonly used as a trigger for nuclear weapons, among other things. Is something coming? Do they have advance warning? What is really going on? Should we open our eyes or continue to play video games.?

[RobinSzcz]

veteran info theft no accident

Has anyone considered that somebody 'high up' on the political food chain wanted the information without leaving a 'paper trai' to them? Knowing the whereabouts of every able-bodied ex-GI would be of great knowledge to someone who anticipates a situation of martial law in the not-to-distant future. The coincidence that this worker just happened to take the data home and just happened to have his computer stolen is a little more than simply far-fetched. It's ludicrous.
If we put all the pieces in place, the wire-tapping, the attempted take-over (not decided yet?) of each State's National Guard, the Federal ID, the preservation of Internment Camps, the Fence on the Mexican border (us in or them out), the requisite passport to leave or enter (try getting one lately), the Shadow Budget (how much is being spent inside America?), and the promise of bigger future attacks, all spell disaster on the horizon. It's as if these people in our current Administration know something we don't and are preparing to NOT have to step out of office in 08. It is interesting that pulonium 210 is commonly used as a trigger for nuclear weapons, among other things. Is something coming? Do they have advance warning? What is really going on? Should we open our eyes or continue to play video games.?