Risk
5/14/2010
03:06 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Stolen VA Laptop Contains Personal Data

The theft of the laptop containing Veterans Administration data highlights the challenges of managing cybersecurity on devices belonging to contractors.

The Department of Veterans Affairs has suffered another possible breach of private data as a thief recently stole an unencrypted laptop that had held the social security numbers and other information of 616 veterans.

Although the VA hasn't found evidence that the data itself has been breached, the theft of the laptop, which was owned by a contractor and not the VA, highlights organizations' need to work closely with contractors on cybersecurity issues.

That need was also spotlighted last year when reports emerged that hackers had stolen sensitive data about the Pentagon's $300 billion Joint Strike Fighter's electronics systems that had been hosted on contractors' networks.

"We would like to express our deepest concern about the continued use of unencrypted devices within VA, despite the ongoing efforts to stop such use," Rep. Steve Buyer, R-Ind., the ranking minority party member of the House of Representatives' committee on veterans affairs, wrote in a May 12 letter to Shinseki, hinting at the fact that all devices connecting to VA networks -- even contractor laptops -- are required to be encrypted.

A seven-month cybersecurity review undertaken last year at the behest of VA secretary Eric Shinseki found that more than 28% of the VA's vendor contracts were missing required clauses about information security, and contractors on 578 contracts actually refused to sign the clauses.

Buyer's letter indicates that cybersecurity clauses were missing from 25 out of 69 contracts between the unnamed contractor whose laptop was stolen and the Department of Veterans Affairs. "I can only conclude from this incident that VA's procurement processes seriously lack standardization in content, fail to articulate requirements, and [lack] compliance oversight," Buyer wrote.

The VA said that 12 of the 14 contracts dealing with facilities affected by this breach had such clauses and that the contractor's employees who work regularly with the VA have taken VA privacy and cybersecurity training.

Upon the laptop's theft, both the contractor and the VA appear to have acted quickly, according to an account of the response provided by a VA spokeswoman. The laptop in question was stolen April 22 from the personal vehicle of one of the contractor's employees, who immediately notified authorities. The contractor notified the VA the next day, and disabled both the user account and server access from the laptop. As of Monday, all affected vets have been mailed notification letters and credit protection offers.

The contractor has also installed whole-disk encryption for VA Pharmacy Services computers, of which the laptop in question was one. Laptops at VA Pharmacy Services have also been replaced by encrypted desktops, the VA is conducting an assessment of the contractor's facility, and began a review of other IT contracts for cybersecurity compliance.

The VA breach comes just over four years after the theft of a VA employee's laptop that had held sensitive personal data on 26.5 million veterans and 2.2 million service members. That breach eventually cost the VA $48 million in notification and a subsequent class action lawsuit.

Though the laptop in that case was eventually recovered, apparently without the data being used for nefarious purposes, the breach and another one a few months later (a Unisys-owned laptop with patient information that went missing) led to unanimously passed legislation meant to ensure the security of veterans' identity and credit information and to VA directives aimed at preventing future similar breaches.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5452
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations.

CVE-2014-6041
Published: 2014-09-02
The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.