Risk
5/14/2010
03:06 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Stolen VA Laptop Contains Personal Data

The theft of the laptop containing Veterans Administration data highlights the challenges of managing cybersecurity on devices belonging to contractors.

The Department of Veterans Affairs has suffered another possible breach of private data as a thief recently stole an unencrypted laptop that had held the social security numbers and other information of 616 veterans.

Although the VA hasn't found evidence that the data itself has been breached, the theft of the laptop, which was owned by a contractor and not the VA, highlights organizations' need to work closely with contractors on cybersecurity issues.

That need was also spotlighted last year when reports emerged that hackers had stolen sensitive data about the Pentagon's $300 billion Joint Strike Fighter's electronics systems that had been hosted on contractors' networks.

"We would like to express our deepest concern about the continued use of unencrypted devices within VA, despite the ongoing efforts to stop such use," Rep. Steve Buyer, R-Ind., the ranking minority party member of the House of Representatives' committee on veterans affairs, wrote in a May 12 letter to Shinseki, hinting at the fact that all devices connecting to VA networks -- even contractor laptops -- are required to be encrypted.

A seven-month cybersecurity review undertaken last year at the behest of VA secretary Eric Shinseki found that more than 28% of the VA's vendor contracts were missing required clauses about information security, and contractors on 578 contracts actually refused to sign the clauses.

Buyer's letter indicates that cybersecurity clauses were missing from 25 out of 69 contracts between the unnamed contractor whose laptop was stolen and the Department of Veterans Affairs. "I can only conclude from this incident that VA's procurement processes seriously lack standardization in content, fail to articulate requirements, and [lack] compliance oversight," Buyer wrote.

The VA said that 12 of the 14 contracts dealing with facilities affected by this breach had such clauses and that the contractor's employees who work regularly with the VA have taken VA privacy and cybersecurity training.

Upon the laptop's theft, both the contractor and the VA appear to have acted quickly, according to an account of the response provided by a VA spokeswoman. The laptop in question was stolen April 22 from the personal vehicle of one of the contractor's employees, who immediately notified authorities. The contractor notified the VA the next day, and disabled both the user account and server access from the laptop. As of Monday, all affected vets have been mailed notification letters and credit protection offers.

The contractor has also installed whole-disk encryption for VA Pharmacy Services computers, of which the laptop in question was one. Laptops at VA Pharmacy Services have also been replaced by encrypted desktops, the VA is conducting an assessment of the contractor's facility, and began a review of other IT contracts for cybersecurity compliance.

The VA breach comes just over four years after the theft of a VA employee's laptop that had held sensitive personal data on 26.5 million veterans and 2.2 million service members. That breach eventually cost the VA $48 million in notification and a subsequent class action lawsuit.

Though the laptop in that case was eventually recovered, apparently without the data being used for nefarious purposes, the breach and another one a few months later (a Unisys-owned laptop with patient information that went missing) led to unanimously passed legislation meant to ensure the security of veterans' identity and credit information and to VA directives aimed at preventing future similar breaches.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.