• United States



by Dave Gradijan

Report: VA Responded to Data Theft with Indifference

Jul 12, 20062 mins
CSO and CISOData and Information Security

A report released on Tuesday from VA Inspector General George Opfer stated that the U.S. Department of Veterans Affairs failed to understand the significance of the data breach in early May and responded with “indifference and little sense of urgency.”

A article states the 78-page report reviewed the circumstances surrounding the May 5 theft of a laptop computer and external hard drive from the home of a data analyst who had worked at the VA for 34 years. The stolen equipment contained personal information on more than 26 million veterans.

Opfer found that while the analyst was authorized to access and use the database, he did not have permission to take the information home, and he failed to encrypt it or protect it with a password, reports.

Additionally, the analyst’s supervisors told inspectors they were not even aware that he was working on the project, but said if they had known, they would not have allowed him to take the data home.

The report also states department policies for protecting personal and proprietary data were not followed. However, none of the policies prohibits removal of protected information from the work site. Opfer also said these information security weaknesses have yet to be corrected.

Opfer’s report recommended that VA Secretary James Nicholson take whatever administrative action he thinks is appropriate against employees involved, establish clear and concise information security policies, and modify cybersecurity and privacy training, according to reports House Veterans’ Affairs Committee Chairman Steve Buyer, R-Ind., said in a statement that the report reiterates what was learned in a series of committee hearings, specifically that “weak information security policies and a lack of central authority over information management left the department vulnerable to massive breaches.”

Rep. Lane Evans, D-Ill., a ranking member of the committee, said the “utterly dysfunctional leadership” was one of a series of failures resulting in the data breach, and Nicholson’s next steps must include a review of why his managers and advisers “botched it and failed to report the matter to him.”

Compiled by Paul Kerstein

For more information, read Data Breach at the VA and When the Dike Breaks: Responding to the Inevitable Data Breach.

Keep checking in at our Security Feed for updated news coverage.