A lack of oversight, personality conflicts and a serious underestimation of the scale of the information loss all played a significant role in the U.S. Department of Veterans Affairs' response to the theft of millions of veterans' records earlier in 2006, according to a scathing report issued by the VA Office of the Inspector General earlier the week of July 10.
The report takes a harsh look at how the department reacted to the theft of 26.5 million veterans' records from an employee's home on May 3.
Although no criminal charges are planned, the Inspector General did call for administrative punishment for those involved and offered a series of recommendations for cyber-security and information protection.
The incident has reawakened concerns about identity theft and how well large government agencies and businesses protect sensitive information stored in databases, as well as who can gain access to that information.
"The recurring themes in these reports support the need for a centralized approach to achieve standardization, remediation of identified weaknesses, and a clear chain-of-command and accountability structure for information security," part of the Inspector General's report reads. "Each year, we continue to identify repeat deficiencies and repeat recommendations that remain unimplemented."
The disclosure of the missing data has already prompted one federal lawsuit by several veterans' groups that seeks $1,000 for every compromised name on the missing data list. The lawsuit also asks for a court to supervise other privacy-protected data.
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.
Secretary of Veterans Affairs R. James Nicholson promised reform.
"VA has embarked on a course of action to wholly improve its cyber and information security programs," Nicholson said in a written statement to eWEEK. "The IG's report confirms that we must continue with our aggressive efforts to reform the current system."
Rep. Tom Davis, R-Va., chairman of the House Committee on Government Reform, said in a statement to eWEEK that the report confirmed his committee's concerns about the slow response at VA.
"The IG found that processing the notification of the stolen data was 'not appropriate or timely,' that information security officials acted with 'indifference and little sense of urgency,' … and that current VA policies do not 'adequately protect personal or proprietary data,'" Davis wrote.
"The VA was fortunate—the police eventually recovered its stolen data. Not all agencies are so lucky. And we can't go forward hoping for the same good luck in the future. The federal government must become a better steward of sensitive personal information," Davis said.
By now, most of what happened on May 3 has become familiar to the public. A laptop computer was taken from the Maryland home of an unnamed VA employee, who had taken the information home so that he could work on a personal project. The computer contained the names, Social Security numbers and dates of birth of millions of veterans and some spouses, as well as some disability ratings.
Read the full story on eWEEK.com: Report Blasts Veterans Affairs' Response to ID Theft
test
