State Department, VA Disclose Two New Data Breaches

Two federal agencies that have already drawn attention this year for data security breaches are back in the spotlight again — for the same reason.

One of them is the U.S. Department of State, which last week disclosed that it had notified close to 400 individuals that the data they had submitted with their passport applications had been stolen in a database intrusion.

And last Saturday, the Department of Veteran’s Affairs (VA) said that one of its medical centers in Oregon had accidentally posted personal data on about 1,600 patients on its public Web site.

The breach at the State Department occurred in March at around the same time the agency disclosed that some of its contractors had illegally snooped on passport records belonging to Sen. Barack Obama, D-Ill., Sen. John McCain, R-Ariz. and other high-profile citizens, according to a spokeswoman.

That disclosure triggered a review of the security controls protecting the State Department’s Passport Information Electronic Records System (PIERS) which contains records on 192 million passports for 127 million individuals. An Inspector General’s report (download PDF) was released in July and identified “many control weaknesses” — including a general lack of policies, procedures and training for protecting passport data at the State Department. The report noted that there were about 20,500 users with active PIERS accounts as of May, with about 12,200 of them being employees or contractors at the department.

According to a State Department spokeswoman, 383 records were illegally accessed by a State Department employee. That worker has since been terminated, the spokeswoman said. All of those who were affected by the incident have been notified by the department and have been offered one year’s worth of free credit monitoring. The notifications were sent out in two batches, with the first set going out on July 10 and the second on Oct. 6.

When asked how the agency discovered the breach and why it took so long to notify affected individuals, the spokeswoman cited a previous explanation of the events by Sean McCormack another spokesman at the agency. McCormack said the department learned of the breach at around the same time the snooping incidents were disclosed publicly, but offered no further details.

According to The Washington Post, the State Department was tipped off to the intrusion in March by police officers in Washington D.C who discovered nearly two-dozen credit cards and print-outs of eight passport applications during the search of a car that was stopped for having excessively tinted windows. Four of the names on the credit cards matched four of the names on the passport applications, leading police to conclude the passport information had been stolen for identity theft purposes.

The driver of the car, identified as Lieutenant Q. Harris Jr., told police that he was working with a co-conspirator at the State Department and someone who worked for the U.S. Postal Service, the Post reported. While awaiting trial, Harris was killed about a month later in a shooting that his mother believes was directly related to his involvement in the passport fraud case.

So far, at least, the stolen data doesn’t appear to have been misused, the State Department spokeswoman said. She noted, however, that the investigation into the incident is ongoing and did not rule out the possibility that more people could be affected.

Meanwhile, in another embarrassment for the VA, one of its medical centers in Portland, Ore. accidentally posted personal details of about 1,600 veterans on a public Web site. Not all of the records contained Social Security Numbers; In some cases, only patient names or partial names were exposed, according to a spokesman quoted by The Oregonian which reported on the incident.

The information was inadvertently included in agency financial records that were transferred to a federal Web site called USAspending.gov that allows the public to search for details of government contracts and spending, the spokesman said.

In response to Computerworld’s request for comment, the VA spokesman in Portland declined to comment.

For the VA, the incident is only the latest in a string of embarrassing data breaches starting with its loss — and subsequent recovery — of a laptop and storage disks containing personal data on more than in May 2006.

Just two weeks ago, the agency suspended all shredding activity after a routine audit by its Inspector General found that several original copies of veterans’ applications for financial benefits were slated for shredding.

Last November, the agency said it was investigating a potential data compromise involving about 12,000 veterans after three computers holding the data were stolen from a VA facility in Indianapolis. Before that, in another incident, an IT specialist at a VA medical center in Birmingham, Ala. reported as missing a hard disk containing personal data on more than 250,000 veterans and an additional 1.3 million medical providers.

In August 2006, the VA disclosed that Unisys Corp., a subcontractor hired to assist in insurance collections for VA medical centers in Pittsburgh, had reported that a computer containing personal data on over 16,000 veterans was missing.