http://www.potomacnews.com/servlet/Satellite?pagename=WPN%2FMGArticle%2FWPN_BasicArticle&c=MGArticle&cid=1149193426231 By JAMES W. CRAWLEY Media General News Service February 28, 2007 WASHINGTON - While the Department of Veterans Affairs reeled last year from the theft of a computer loaded with personal data on 26.5 million vets, VA officials wasted as much as $135,000 on a bungled analysis of the missing information. A report by the VA's inspector general is a tale of favoritism, a late-night contract award, inept contractor employees, expensive restaurant meals and a sabotaged office computer. The agency's inspector general, in the little-noticed report released this month, sharply criticized the hiring of Internet Security Systems, an Atlanta-based firm, and VA officials who approved the contract. The report by the internal watchdog said several VA officials violated federal regulations, did little to monitor the contractor's work and rebuffed VA employees questioning their actions. "As a result of these actions, VA significantly overpaid for the services provided," the report concluded. The VA should recoup money from the contractor and reprimand several current employees, the inspector general recommended. The VA "is working aggressively to implement the recommendations," said spokesman Matt Burns. He would not say if any money had been reimbursed or how many employees, if any, have been reprimanded. After the theft of a VA employee's personal laptop computer and a hard drive that contained millions of veterans' Social Security numbers and personal information last May, the inspector general's office obtained 17 compact discs that the employee had used to transfer data from his office computer to his home computer. After examining the discs, the inspector general's office turned them over to the VA's computer security office June 1, 2006. That day, the VA's top computer security official, Pedro Cadenas Jr., approved a no-bid contract to Internet Security Systems to determine how much information about veterans was missing and report its findings within a few days. Total price was not to exceed $12,768. Also that day, the inspector general's office released the results of its similar analysis of the discs to top VA officials, who used the information in public comments about the scope of the problem. Internet Security Systems obtained the contract because Cadenas had "a personal relationship with high-level ISS officials," the report said. Three phone messages at Cadenas' home in Leesburg were not returned. Internet Security Systems spokeswoman Heidi Litner said the firm is cooperating, but she declined further comment Tuesday. Internet Security Systems has offices worldwide and contracts with many federal agencies and large corporations to protect computers against hackers. IBM bought the firm for $1.3 billion last year. >From the start, Internet Security Systems had trouble doing the work. Company employees tried unsuccessfully for nine hours to read the data - even though it was stored in a common database language used by tens of thousands of government agencies and corporations. Finally, a VA official intervened and used his computer to translate the data into a format the contract employees could use. The next day, Friday, June 2, Cadenas ordered more data analysis from the company, but a VA contracting officer balked because federal law required competitive bids. So, at 10 that Friday night, the VA sent a bid request to five prospective vendors, including Internet Security Systems. The deadline for bids was 1 a.m., Saturday, June 3 - three hours later. Only Internet Security Systems and another firm bid. In an e-mail from his Northern Virginia home at 4:03 a.m., June 3, Cadenas picked Internet Security Systems for the additional data analysis. A few days later, the company was given its first task under the new contract - 385 hours of analysis. The inspector general estimated the analysis should have taken 48 hours - not 385. Internet Security Systems has billed the VA $202,418 for work on the late-night contract. The VA has withheld payment, the report said. On June 23, Cadenas asked the company to do a third job: create a database using veterans' information found on the compact discs. Five days later, police recovered the stolen laptop with the personal data intact. Authorities determined that no identity theft occurred. On June 29, Cadenas announced he was resigning July 14 and went on paid leave. Internet Security Systems continued building the new database. After finishing it in mid-July, the VA paid the firm $119,042 for the new database. In the report, the inspector general said there had been no need to complete the new database. Internet Security Systems has received a total of $135,554 from the VA, including $16,512 paid on the initial no-bid contract. And the VA is still holding the bill for $202,418. What did the VA get in return? Besides a database that wasn't needed, the agency got a pile of expenses reports with few receipts or explanations, the inspector general reported. The firm billed $20,646 for airfare and hotel expenses. A worker submitted restaurant bills of $137, $152 and $266 for separate meals - on a contract in which $64 for three meals per day was the maximum allowed. The same worker also charged the VA $154 to buy a software manual. Another worker claimed $215 for computer hardware shipped to his home. In early July, the questionable contracts attracted the attention of the VA's inspector general. When investigators scheduled an interview with Cadenas for July 12, he decided to quit July 11, three days early. Cadenas also rebuffed investigators' questions while cleaning out his office, the report said. Later, investigators discovered all contract paperwork in the office was missing and his government-owned office computer's hard drive had been erased. Cadenas escaped possible administrative punishment with his resignation, the report said. Copyright 2007 Media General. ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Tue Feb 27 2007 - 22:25:25 PST