[ISN] Employee tried to mask extent of latest VA data breach

From: InfoSec News (alerts@private)
Date: Mon Jul 09 2007 - 23:16:18 PDT


By Daniel Pulliam 
July 9, 2007

An information technology specialist at the Veterans Affairs Department 
misled investigators in an attempt to cover up the extent of a data 
breach early this year that jeopardized personal information on more 
than a million people, according to a recent audit report.

In an interview with auditors, the specialist gave inaccurate 
information about the Jan. 22 loss of an external computer hard drive 
from VA's Birmingham, Ala., research facility, the report from the 
department's inspector general stated. The information ended up in a 
press release about the incident, the investigators found.

The specialist also encrypted and deleted multiple files from his 
computer shortly after he reported the data missing, making it more 
difficult to determine what was stored on his desktop, the IG said. He 
initially denied this when confronted by investigators, the report said. 
But an IG computer forensic analysis prompted him to admit to taking 
actions to hide the extent of the missing data.

As of February, the IT specialist, who was not named in the report, had 
been placed on administrative leave pending the outcome of the 
investigation. The VA did not respond to requests for an update Monday 
on the specialist's employment status.

Michael Kussman, VA's undersecretary for health, concurred with the IG's 
recommendation that "appropriate administrative action [be] taken 
against the IT specialist for his inappropriate actions during the 
course of the investigation and for failing to properly safeguard 
personally identifiable information on his missing external hard drive." 
Kussman said the "target completion" date for this was Oct. 1, following 
a review of the evidence.

The specialist had used the hard drive to back up research data he kept 
on a desktop computer and to store other data from a shared network. The 
drive is thought to have contained personally identifiable information 
for more than 250,000 veterans and 1.3 million medical providers. The 
data on medical providers came from the Centers for Medicare and 
Medicaid Services and the Health and Human Services Department.

If the specialist had protected the information in accordance with the 
terms under which it was provided, the breach might have been avoided, 
the report said. The IG also criticized managers for failing to follow 
proper procedures to safeguard data stored on external hard drives.

An Aug. 7, 2006, VA policy prohibits employees from storing sensitive 
data on portable devices without encryption, and assigns responsibility 
to local supervisors for protecting sensitive information. The 
Birmingham facility's director did not request encryption software and 
depended on employees to store external hard drives in a locked office 
safe when not in use, the audit found.

According to the report, several employees decided not to put the hard 
drives in the safe, and at least one took home a hard drive that 
contained privacy protected information concerning VA employees. The 
facility did not keep records of when the safe was accessed or whether 
there was an inventory of its contents.

The director of the Birmingham Medical Center moved the research 
facility into new office space without ensuring that its information 
security needs were sufficiently evaluated, the IG added. The director 
told investigators that when he made the decision, he was not aware that 
employees stored large amounts of sensitive data on external hard 

Kussman also agreed with the IG that the center's director should have 
"appropriate administrative action" taken against him "for failing to 
take adequate security measures to protect personally identifiable 

The FBI has joined the investigation in coordination with the Birmingham 
Police Department. A $25,000 reward has been posted. The VA's technology 
chief said last month that the data breach would cost the department $20 

Investigators have considered "all possible leads," the report stated. 
Those include a burglary of the office; the IT specialist taking the 
hard drive out of the office and losing it or having it stolen; a 
co-worker hiding the hard drive for vengeful reasons; or the accidental 
disposal of the hard drive during routine housekeeping.

Investigators have visited local computer repair shops, contacted eBay 
and questioned many individuals working or living near the office, 
including homeless individuals who frequent the area, the report stated. 
Fingerprints have been taken and two homes and five vehicles of 
employees were searched, according to the IG.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jul 09 2007 - 23:33:26 PDT