Veterans Affairs faulted in data theft

Series of missteps led to exposure of data on millions, held up post-theft response, scathing report finds.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
In a blistering report, the inspector general's office in the Department of Veterans Affairs said a series of missteps led to theft of hardware containing data on millions of veterans and held up response after the fact.

The report, published Tuesday, blames agency officials for acting "with indifference and little sense of urgency" after the loss of the computer hardware in a house robbery. This, in part, caused the department's slow response to the breach. The theft occurred on May 3, but the secretary of Veterans Affairs was not notified until May 16, and Congress and veterans did not hear of it until May 22. (Download a PDF of the report.)

The laptop and an external hard disk drive, which actually contained sensitive information on about 26 million veterans, were recovered on June 28. The FBI and the Department of Veterans Affairs determined with a high degree of confidence that the data on the external drive was not compromised.

Veterans Affairs employees at all levels get a scathing review in the report, as do the agency's practices. Investigators found a "patchwork of policies," none of which adequately safeguarded information at the department. Furthermore, no rule barred the storing of information on personal hardware and taking it from the worksite.

Still, the data analyst who took the data home to work on a personal project "used extremely poor judgment" and was not authorized to take the data, the report said. After his house was burglarized and the hardware stolen, he did, however, quickly report the theft, including the fact that there was sensitive data on the drive, the report said.

Following the notification, the department dragged its feet over its response, which was inadequate, according to the report. The notification was mired in bureaucracy and even some infighting at the department, with people passing it from one desk to another, the report said.

"At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating or notifying higher level officials of the data loss reacted with indifference and little sense of urgency or responsibility," according to the report.

For example, upon receiving notification of the theft, the department's deputy assistant secretary for policy, Michael McLendon, decided to rewrite it, stating it was inadequate, according to the report. In fact, the investigators found that McLendon wanted to rewrite it to falsely downplay the risk of the misuse of the stolen data. The data could be read without special software, contrary to McLendon's assertion, investigators found.

New measures implemented by the Department of Veterans Affairs since the incident are a positive step, according to the report. But more needs to be done to ensure protected information is adequately safeguarded, it said. Improvements are needed particularly in security training, sensitivity levels and work with contractors, the report said.

The unnamed data analyst took the data home to work on a "fascination project" to test the accuracy of a 2001 survey of veterans. He has reportedly been fired, but is fighting his termination. McLendon and Dennis Duffy, the acting head of the division the analyst worked in, have reportedly resigned or have been put on administrative leave.