[ISN] Top VA Officials Criticized in Data Theft

From: InfoSec News (alerts@private)
Date: Tue Jul 11 2006 - 22:43:34 PDT


http://www.washingtonpost.com/wp-dyn/content/article/2006/07/11/AR2006071101066.html

By Christopher Lee
Washington Post Staff Writer
July 12, 2006

A career analyst and top officials at the Department of Veterans Affairs 
share the blame for the recent theft of sensitive personal data on 
millions of veterans, federal investigators said yesterday.

In a 68-page report, VA Inspector General George J. Opfer recommended that 
VA Secretary Jim Nicholson "take whatever administrative action deemed 
appropriate" to punish officials who were slow to report and investigate 
the May 3 theft of a laptop computer and an external hard drive from the 
analyst's Aspen Hill home.

Opfer wrote that new security measures since the theft are "a positive 
step" but are inadequate. Nicholson should establish "one clear, concise 
VA policy on safeguarding protected information," he wrote.

The report, the product of a nearly two-month investigation, included no 
new major findings about the theft and the department's handling of it -- 
subjects picked over for weeks in a series of congressional hearings and 
in news stories.

It did, however, unearth previously undisclosed details, such as that the 
stolen laptop itself contained no VA data, only the external drive did. 
The report also found that, contrary to testimony by VA officials, the 
thieves would not have needed to know how to use a statistical software 
program to view the data.

The laptop and hard drive were recovered last month by law enforcement. VA 
spokesman Matt Burns said the FBI informed the department yesterday that, 
after a battery of forensic tests, investigators had a "high degree of 
confidence" that the thieves had not accessed the data.

Robert Wallace, executive director of the Veterans of Foreign Wars, said 
the IG report underscored the "lack of leadership" at VA. Senior officials 
knew of the theft within an hour of when the employee reported it to local 
police, but Nicholson was not told until almost two weeks later. He did 
not inform the public until six days after that, on May 22.

"We're waiting for the secretary to act," Wallace said. "I want him to 
take every action he has to clean that place up. The secretary seems to be 
the poor guy sitting out on a limb; he's the last guy to know, and then he 
responds."

In a statement, Nicholson said that "VA has embarked on a course of action 
to wholly improve its cyber and information security programs." He added: 
"The IG's report confirms that we must continue with our aggressive 
efforts to reform the current system."

Nicholson earlier forced the retirement of Dennis Duffy, a longtime civil 
servant who was the acting assistant secretary overseeing the division in 
which the analyst worked. Michael McLendon, a political appointee who 
supervised the analyst, resigned from the department soon after Nicholson 
disclosed the theft to the public.

The analyst -- who the IG confirms took the data home without 
authorization -- has been notified of his termination, but he is 
challenging the firing. The analyst began taking the data home in 2003 for 
a self-described "fascination project" to test the accuracy of a survey of 
veterans by VA in 2001, the report said.

Rep. Lane Evans (Ill.), ranking Democrat on the House Committee on 
Veterans Affairs, said in a statement: "The Secretary testified before our 
Committee that he is 'mad as hell' about the data breach. He should be. 
His actions in light of these IG findings will tell us if those words were 
deeply felt or simply meant to engender sympathy under intense pressure."

2006 The Washington Post Company


_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jul 11 2006 - 22:48:13 PDT