Personal tools

Veterans Data Theft

The news goes from bad to worse around the data theft from a Department of Veterans Affairs data analyst's home. What looked at first like a cover up is looking more like incompetence or simple lack of planning.

A Department of Veterans Affairs data analyst, whose home was burglarized putting 26.5 million personal records belonging to veterans' into the hands of the burglars, had routinely taken such data home.  This was a practice going back to at least 2003, according to VA Inspector General George J. Opfer who said: "It wasn't like all of a sudden one night he took home all this data." The data includes names, birthdates disability ratings, and social security numbers of veterans. 

Adding to the concerns of veterans is the fact that a laptop computer and external hard drive stolen May 3, as Veterans Affairs Secretary Jim Nicholson reports that the stolen information was not encrypted or "scrambled."  No word as to whether or not a password was in place. Even worse was that other sensitive data was found in the employee's home which has now been removed.  The department therefore has to determin just what the extent of the stolen data really is.

Continuing the bad news Opfer reports his office wasn't aware of the data loss which occured on May 3 until May 10th.  Even then it was only through an offhand remark by an employee at a routine meeting.  The fact that there was no formal structure in place to report the loss of such a signicant amount of data is completely astounding.  Veterans Affairs Secretary Jim Nicholson wasn't brought into the picture until May 16th and the FBI wasn't alerted until May 17th.  The public announcement came the following Monday.

Here are some of the most obvious issues of this event:

 

  1. Establish protocols as to what should happen when data is breached.  The employee reported a stolen laptop to his supervisor.  Apparently Deputy Secretary of Veterans Affairs Gordon Mansfield was informed but he didn't pass the information on to his superiors or to local and federal law enforcement, which should have been part of the protocal.   
  2.  

  3. Rules like not allowing certain data to go offsite or not giving all personell permission to take data offsite were not being enforced.  Enforce the security rules that do exist, remember the Reuter's report said  the employee wasn't even authorized to have the data outside the office and yet he'd been taking home information since 2003.
  4.  

  5. Sensitive personal data was not encrypted.  If data does get out, at least make it difficult to get into instead of giving it away for free. 
  6.  

  7. The Department of Veterans Affairs had constantly been getting a failing grade in terms of security and nothing was done to improve this grade.  Perhaps correcting this situation throughtout the government is in order.

 

Information for this article came from

The Washington Post

Information Week

Forbes

Created by lsmithlas
Last modified May 26, 2006 12:30 PM
Announcements

Sign up for CPSR announcements emails

Chapters

International Chapters -

> Canada
> Japan
> Peru
> Spain
          more...

USA Chapters -

> Chicago, IL
> Pittsburgh, PA
> San Francisco Bay Area
> Seattle, WA
more...
Why did you join CPSR?

I care about the issues that CPSR concerns itself, and I don't have the resources or time to address them personally.