The Washington Post has been reporting daily about the massive Veterans Affairs (VA) Department security breach. As I mentioned in an earlier post this week, a laptop computer was stolen from a VA employee's home in Montgomery County, MD. The stolen property included a portable hard drive on which was stored the unencrypted personal demographic information on 26.5 million U.S. veterans, including Social Security numbers -- the largest theft of SSNs on record. The government has established a website to help affected veterans and their families.
On Friday, the Post reported that this employee routinely took home such demographic data. Today's article provides more details on the nature of the theft and the reporting timeline. The Post reports that "the employee 'assumed full responsibility, acknowledging he knew he should not have taken the data out of the office." The Post explores the disturbing reporting timeline -- the employee promptly reported the theft to his superiors and the Montgomery County Police, but the VA Secretary did not learn of the theft until May 16 and the public was not informed until May 22. Even the FBI was not brought in until late last week.
According to the Post, Sen. Susan Collins described the situation as baffling. I agree. While the employee has accepted responsibility, I cannot understand how the VA computer system evidently permitted that employee to download and externally store unencrypted personal data. At a May 25 hearing before the Senate Veterans Affairs Committee, the VA Inspector General reported security vulnerabilities related to the operating system, passwords, a lack of strong detection alerts and a need for better access controls -- all of which have existed at least since 2001. I trust that in view of this nightmare all IT security officials are now double checking their own systems' internal controls.