[ISN] Report: VA funds wasted in data loss

From: InfoSec News (alerts@private)
Date: Tue Feb 27 2007 - 22:13:31 PST


http://www.potomacnews.com/servlet/Satellite?pagename=WPN%2FMGArticle%2FWPN_BasicArticle&c=MGArticle&cid=1149193426231

By JAMES W. CRAWLEY
Media General News Service
February 28, 2007

WASHINGTON - While the Department of Veterans Affairs reeled last year 
from the theft of a computer loaded with personal data on 26.5 million 
vets, VA officials wasted as much as $135,000 on a bungled analysis of 
the missing information.

A report by the VA's inspector general is a tale of favoritism, a 
late-night contract award, inept contractor employees, expensive 
restaurant meals and a sabotaged office computer.

The agency's inspector general, in the little-noticed report released 
this month, sharply criticized the hiring of Internet Security Systems, 
an Atlanta-based firm, and VA officials who approved the contract.

The report by the internal watchdog said several VA officials violated 
federal regulations, did little to monitor the contractor's work and 
rebuffed VA employees questioning their actions.

"As a result of these actions, VA significantly overpaid for the 
services provided," the report concluded.

The VA should recoup money from the contractor and reprimand several 
current employees, the inspector general recommended.

The VA "is working aggressively to implement the recommendations," said 
spokesman Matt Burns. He would not say if any money had been reimbursed 
or how many employees, if any, have been reprimanded.

After the theft of a VA employee's personal laptop computer and a hard 
drive that contained millions of veterans' Social Security numbers and 
personal information last May, the inspector general's office obtained 
17 compact discs that the employee had used to transfer data from his 
office computer to his home computer.

After examining the discs, the inspector general's office turned them 
over to the VA's computer security office June 1, 2006.

That day, the VA's top computer security official, Pedro Cadenas Jr., 
approved a no-bid contract to Internet Security Systems to determine how 
much information about veterans was missing and report its findings 
within a few days. Total price was not to exceed $12,768.

Also that day, the inspector general's office released the results of 
its similar analysis of the discs to top VA officials, who used the 
information in public comments about the scope of the problem.

Internet Security Systems obtained the contract because Cadenas had "a 
personal relationship with high-level ISS officials," the report said.

Three phone messages at Cadenas' home in Leesburg were not returned. 
Internet Security Systems spokeswoman Heidi Litner said the firm is 
cooperating, but she declined further comment Tuesday.

Internet Security Systems has offices worldwide and contracts with many 
federal agencies and large corporations to protect computers against 
hackers. IBM bought the firm for $1.3 billion last year.

>From the start, Internet Security Systems had trouble doing the work.

Company employees tried unsuccessfully for nine hours to read the data - 
even though it was stored in a common database language used by tens of 
thousands of government agencies and corporations. Finally, a VA 
official intervened and used his computer to translate the data into a 
format the contract employees could use.

The next day, Friday, June 2, Cadenas ordered more data analysis from 
the company, but a VA contracting officer balked because federal law 
required competitive bids.

So, at 10 that Friday night, the VA sent a bid request to five 
prospective vendors, including Internet Security Systems. The deadline 
for bids was 1 a.m., Saturday, June 3 - three hours later.

Only Internet Security Systems and another firm bid.

In an e-mail from his Northern Virginia home at 4:03 a.m., June 3, 
Cadenas picked Internet Security Systems for the additional data 
analysis.

A few days later, the company was given its first task under the new 
contract - 385 hours of analysis. The inspector general estimated the 
analysis should have taken 48 hours - not 385.

Internet Security Systems has billed the VA $202,418 for work on the 
late-night contract. The VA has withheld payment, the report said.

On June 23, Cadenas asked the company to do a third job: create a 
database using veterans' information found on the compact discs.

Five days later, police recovered the stolen laptop with the personal 
data intact. Authorities determined that no identity theft occurred.

On June 29, Cadenas announced he was resigning July 14 and went on paid 
leave.

Internet Security Systems continued building the new database. After 
finishing it in mid-July, the VA paid the firm $119,042 for the new 
database. In the report, the inspector general said there had been no 
need to complete the new database.

Internet Security Systems has received a total of $135,554 from the VA, 
including $16,512 paid on the initial no-bid contract. And the VA is 
still holding the bill for $202,418.

What did the VA get in return?

Besides a database that wasn't needed, the agency got a pile of expenses 
reports with few receipts or explanations, the inspector general 
reported.

The firm billed $20,646 for airfare and hotel expenses. A worker 
submitted restaurant bills of $137, $152 and $266 for separate meals - 
on a contract in which $64 for three meals per day was the maximum 
allowed.

The same worker also charged the VA $154 to buy a software manual. 
Another worker claimed $215 for computer hardware shipped to his home.

In early July, the questionable contracts attracted the attention of the 
VA's inspector general.

When investigators scheduled an interview with Cadenas for July 12, he 
decided to quit July 11, three days early.

Cadenas also rebuffed investigators' questions while cleaning out his 
office, the report said.

Later, investigators discovered all contract paperwork in the office was 
missing and his government-owned office computer's hard drive had been 
erased.

Cadenas escaped possible administrative punishment with his resignation, 
the report said.

Copyright 2007 Media General.


______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Tue Feb 27 2007 - 22:25:25 PST