Spotlight on Surveillance
Veterans Affairs' Security Failures Put Data of Military Personnel at Risk
EPIC’s “Spotlight on Surveillance” project scrutinizes federal government programs that affect individual privacy. For more information, see previous Spotlights on Surveillance. This month, Spotlight surveys the information technology infrastructure at the Department of Veterans Affairs. For Fiscal Year 2007, Veterans Affairs has requested $80.6 billion, $1.3 billion of which is for the agency’s information technology systems.
Veterans Affairs has been in the news recently because of a huge information security breach that resulted in the theft of unencrypted data affecting 26.5 million people. The agency has estimated that it will cost between $100 million to $500 million to prevent and cover possible losses from the data theft. Though the theft occurred on May 3, 2006, the agency waited until May 22 to inform those who were affected. The delay was just one of many failures by Veterans Affairs in this incident. The following summary of the theft and its aftermath are based on Congressional testimony and press releases from government officials, and news reports.
On May 3, 2006, a data analyst at Veterans Affairs took home a laptop and an external hard drive containing unencrypted information on 26.5 million people. The computer equipment was stolen in a burglary of the analyst’s home in Montgomery County, Md., and he immediately reported the theft to both Maryland police and his supervisors at Veterans Affairs. The analyst admitted that he had been routinely taking home such sensitive data for three years. Though the analyst’s supervisors knew of the theft, it was not until seven days later that the VA Office of Inspector General learned of it, informally through office talk. Veterans Affairs Secretary R. James Nicholson was not told of the data theft until May 16. The next day, Secretary Nicholson informed the FBI, who began working with Montgomery County police to investigate the burglary.
The Department of Veterans Affairs earned an F on the
House Government Reform Committee's annual cyber-
security report card in 2005. It has earned an F in every
year since 2001, except when it earned a C in 2003.
Source: U.S. House of Representatives Government
On May 22, Veterans Affairs issued a statement about the theft, explaining the data stolen included the names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans and spouses, but did not include financial information or electronic health records. Subsequent investigation showed that the scope of the data breach was beyond the initial assessment. At a Congressional hearing on May 25, Secretary Nicholson admitted that, though the agency had said the data stolen did not include health records, the disability ratings provided medical information on 2.6 million people. Secretary Nicholson agreed when Rep. Bob Filner asked, “Every specific code relates to a specific health condition, and the disability codes are linked to specific individuals by their name and date of birth, and they reveal each disabled veteran's medical problems and conditions, correct?”
On June 3, Veterans Affairs announced that the personal information of about 50,000 active-duty personnel were included in the data stolen. Another announcement followed on June 6, explaining that the 26.5 million people affected by the data theft included “1.1 million military members on active duty, 430,000 members of the National Guard, and 645,000 members of the Reserves.”
On June 29, Veterans Affairs announced that the laptop and hard drive had been recovered. After an initial assessment, the FBI said it had found no evidence that anyone accessed the sensitive personal data on the equipment. The announcement came as the Associated Press discovered documents showing that Veterans Affairs had given permission in 2002 for the analyst, from whom the equipment was stolen, to work from home with data that included millions of Social Security numbers, disability ratings and other personal information. Agency officials previously said the analyst was fired because he violated agency procedure by taking the data home.
Veterans Affairs Has Failed to Implement These
- centralize IT security programs;
- implement an effective patch management program;
- address security vulnerabilities of unauthorized access
and misuse of sensitive information and data throughout
VA demonstrated during OIG field testing;
- ensure position descriptions contain proper data access
- obtain timely, complete background investigations;
and complete the following security initiatives on
- intrusion detection systems,
- infrastructure protection actions,
- data center contingency planning,
- certification and accreditation of systems,
- upgrading/terminating external connections,
- improvement of configuration management,
- moving VA Central Office (VACO) data center,
- improvement of application program/operating
system change controls,
- limiting physical access to computer rooms,
- wireless devices, and
- electronic transmission of sensitive veteran data.
The massive theft of data from Veterans Affairs is one of many that have been revealed in the last year and a half. Data broker ChoicePoint revealed in February 2005 that it had sold information on about 400,000 people to identity thieves. A short time later, Bank of America misplaced back-up tapes containing detailed financial information on 1.2 million employees in the federal government, including many members of Congress. Lexis-Nexis made available records from its Seisint division on 32,000 Americans to a criminal ring that exploited passwords of legitimate account holders. At a Congressional hearing in June 2006, it was revealed that a hacker had stolen a file from the Department of Energy in November. The file contained the names and Social Security numbers of 1,500 people working in a nuclear weapons division.
The massive data loss at Veterans Affairs was not a fluke, but could easily happen again because of weak information technology security at the agency, according to government officials. Veterans Affairs has had years of warnings, as early as Fiscal Year 1997, about its security weaknesses and failed to act, said Michael L. Staley of the Veterans Affairs Office of Inspector General at a recent Congressional hearing. Mr. Staley testified that problems related to the agency’s control and oversight of access to its information systems “place sensitive information, including financial data and sensitive veteran medical and benefit information, at risk, possibly without detection of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction.” The Office of Inspector General has detailed “weaknesses in physical security, electronic security, and FISMA reporting, and … in wireless security and personnel security. Additionally, we have reported significant issues with implementation of security initiatives VA-wide.”
Such significant issues include the failure to implement any of 16 recommendations included in a Fiscal Year 2004 report on the agency’s information technology security, said Mr. Staley. One recommendation was that Veterans Affairs “address security vulnerabilities of unauthorized access and misuse of sensitive information and data throughout VA demonstrated during OIG field testing.” Office of Inspector General tests have show that intruders can successfully break in to Veterans Affairs systems and “capture protected health information in unencrypted clear text.”
The agency earned an F on the House Government Reform Committee's annual cyber-security report card in 2005. It has earned an F in every year since 2001, except when it earned a C in 2003.
The agency needs to address these security issues because of the broad array of data and assets that is at risk, according to recent Congressional testimony by the Government Accountability Office (GAO). The GAO also recommends public notification of data breaches. “When data breaches do occur, notification of those affected an/or the public has clear benefits, allowing people the opportunity to protect themselves from identity theft,” the GAO testified. Although there are no laws requiring notification, the GAO said, it is “consistent with agencies’ responsibility to inform individuals about how their information is being accessed and used, and promotes accountability for its protection.”
The many scandals involving sensitive personal data that has been lost, stolen by or sold to criminals prove that there must be strong security controls, such as encryption of all sensitive information. The laptop and hard drive stolen from the investigation into the Veterans Affairs’ analyst has been found, data theft continues, but of particular concern should beis that for three years the agency permitted the analyst was free to take sensitive, unencrypted data home whenever he wished and that the agency waited 19 days to inform the 26.5 million people that their data was at risk. The first is a failure of internal security controls; the second is a failure of leadership. Congress is debating laws concerning data security and notification requirements and should look to the Veterans Affairs theft as an example of the need for both.
 Department of Veterans Affairs, FY 2007 Budget Submission 1-3, 1-9 (Feb. 2006), available at http://www.va.gov/budget/summary/index.htm.
 Department of Veterans Affairs, Statement, A Statement from the Department of Veterans Affairs (May 22, 2006) (hereinafter “VA May 22 Statement”) available at http://www.va.gov/opa/data/docs/initann.doc#May22Statement.
 Joel Rothstein, US veterans’ data theft may cost $500 million, Reuters, May 25, 2006.
 Statement of George J. Opfer, Inspector General, Department of Veterans Affairs, at a Hearing on Failure of VA’s Information Management Before the Committee on Veterans’ Affairs of the U.S. House of Representatives (May 25, 2006) (hereinafter “Opfer Statement on VA Data Theft”) available at http://veterans.house.gov/hearings/schedule109/may06/5-25-06/GeorgeOpfer.html.
 Opfer Statement on VA Data Theft, supra note 3.
 Statement of R. James Nicholson, Secretary, Department of Veterans Affairs at a Hearing on VA Data Privacy Breach: Twenty-Six Million People Deserve Answers Before a Joint Hearing of the U.S. Senate Committee on Veterans’ Affairs and the U.S. Senate Committee on Homeland Security and Governmental Affairs (May 25, 2006) available at http://veterans.senate.gov/index.cfm?FuseAction=Hearings.CurrentHearings&rID=644&hID=210.
 Opfer Statement on VA Data Theft, supra note 3.
 VA May 22 Statement, supra note 2.
 Transcript of a Hearing on Failure of VA’s Information Management Before the Committee on Veterans’ Affairs of the U.S. House of Representatives (May 25, 2006).
 Department of Veterans Affairs, News Release, Secretary Nicholson Provides Update on Stolen Data Incident: VA’s Investigation Providing New Details about Information Potentially Involved (June 3, 2006) available at http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1131.
 Department of Veterans Affairs, News Release, Secretary Nicholson Provides Update on Stolen Data Incident: Data Matching With Department of Defense Providing New Details (June 6, 2006) available at http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1134.
 Hope Yen, Stolen VA Computer Recovered, Associated Press, June 29, 2006.
 “The documents obtained by The Associated Press show that the data analyst, whose name was being withheld, had approval as early as Sept. 5, 2002, to use special software at home that was designed to manipulate large amounts of data. A separate agreement, dated Feb. 5, 2002, from the office of the assistant secretary for policy and planning, allowed the worker to access Social Security numbers for millions of veterans. A third document, also issued in 2002, gave the analyst permission to take a laptop computer and accessories for work outside of the VA building.” Id.
 Associated Press, ChoicePoint hacking attack may have affected 400,000, Feb. 17, 2005.
 Robert Lemos, Bank of America loses a million customer records, CNet News.com, Feb. 25, 2005.
 Jonathan Krim and Robert O'Harrow, Jr., LexisNexis Reports Theft of Personal Data, Washington Post, Mar. 9, 2005.
 Associated Press, Files from Duke City nuke agency stolen, June 10, 2006.
 Statement of Michael L. Staley, Assistant Inspector General for Audit, Department of Veterans Affairs at a Hearing on the Repeated Failures of VA’s Information Technology Management Before the Committee on Veterans’ Affairs of the U.S. House of Representatives (June 14, 2006) (hereinafter “Staley Statement on VA IT Problems”) available at http://veterans.house.gov/hearings/schedule109/jun06/6-14-06/MichaelStaley.html.
 Staley Statement on VA IT Problems, supra note 21.
 Christopher Lee, Veterans Angered by File Scandal, Washington Post, May 24, 2006.
 Testimony of Linda D. Koontz, Director, Information Management Issues, Government Accountability Office, and Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office at a Hearing on the Repeated Failures of VA’s Information Technology Management Before the Committee on Veterans’ Affairs of the U.S. House of Representatives (June 14, 2006) available at http://veterans.house.gov/hearings/schedule109/jun06/6-14-06/LindaKoontz.pdf.