The United States Department of Veterans Affairs is reporting that it has recovered the stolen laptop computer believed to be carrying the personal records of 26.5 million former and current servicemen that touched off a firestorm of debate over the government's data handling policies.
A Veterans Affair spokesman confirmed to eWEEK on June 29 that the agency had somehow gotten its hands back on the stolen machine and an external hard drive that was also taken, while not offering any details as to how the devices were returned. Veterans Affairs Secretary Jim Nicholson also confirmed the recovery to reporters in Washington.
"The department and the secretary are encouraged by this development, and it is certainly good news for veterans," the VA spokesman said. "The secretary is still committed to moving the VA forward and putting policies and procedures in place to ensure that this doesn't happen again."
The government had been offering a $50,000 reward for the laptop's return, but the spokesman could not confirm if the sum would be paid out as a result of the laptop recovery.
The situation began when a contractor working for the VA had his Maryland home robbed after taking the computer and an external hard drive out of the office to do work. The employee reported the loss of the laptop and accompanying hard disk to police and to his supervisor as soon as the theft was discovered, but that fact was not made available to higher levels of management until weeks later, at which time it was first reported publicly.
According to documents submitted as part of a class-action suit filed as a result of the data breach, it became known that the VA employee had been taking the personal information home routinely for at least three years, and that he had at some point been given permission to do so.
As a result of the fallout from the laptop theft, Nicholson announced several major initiatives to be undertaken by the VA in the name of preventing similar incidents. As part of the effort, every laptop computer in the Department of Veterans Affairs will be required to be returned to IT security personnel for a review to ensure that all security and virus software is current. At that time, personnel will remove all unauthorized information or software.
In addition, Nicholson ordered that no personal laptops or other computers would be allowed to be connected to the VA's VPN or to perform any sort of official business. In addition to recalling all laptops for their security audits, every VA facility will have a "security stand down" the week of June 26.
During previous tests conducted by auditors seeking government agency compliance with the Federal Information Security Management Act, the VA repeatedly earned a grade of F for its security policies security. However, the U.S. Department of Agriculture, Internal Revenue Service and Social Security Administration have also recently reported missing or stolen laptops, but the data losses in those incidents were much smaller than the VA's massive data breach.