Risk
5/14/2010
03:06 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Stolen VA Laptop Contains Personal Data

The theft of the laptop containing Veterans Administration data highlights the challenges of managing cybersecurity on devices belonging to contractors.

The Department of Veterans Affairs has suffered another possible breach of private data as a thief recently stole an unencrypted laptop that had held the social security numbers and other information of 616 veterans.

Although the VA hasn't found evidence that the data itself has been breached, the theft of the laptop, which was owned by a contractor and not the VA, highlights organizations' need to work closely with contractors on cybersecurity issues.

That need was also spotlighted last year when reports emerged that hackers had stolen sensitive data about the Pentagon's $300 billion Joint Strike Fighter's electronics systems that had been hosted on contractors' networks.

"We would like to express our deepest concern about the continued use of unencrypted devices within VA, despite the ongoing efforts to stop such use," Rep. Steve Buyer, R-Ind., the ranking minority party member of the House of Representatives' committee on veterans affairs, wrote in a May 12 letter to Shinseki, hinting at the fact that all devices connecting to VA networks -- even contractor laptops -- are required to be encrypted.

A seven-month cybersecurity review undertaken last year at the behest of VA secretary Eric Shinseki found that more than 28% of the VA's vendor contracts were missing required clauses about information security, and contractors on 578 contracts actually refused to sign the clauses.

Buyer's letter indicates that cybersecurity clauses were missing from 25 out of 69 contracts between the unnamed contractor whose laptop was stolen and the Department of Veterans Affairs. "I can only conclude from this incident that VA's procurement processes seriously lack standardization in content, fail to articulate requirements, and [lack] compliance oversight," Buyer wrote.

The VA said that 12 of the 14 contracts dealing with facilities affected by this breach had such clauses and that the contractor's employees who work regularly with the VA have taken VA privacy and cybersecurity training.

Upon the laptop's theft, both the contractor and the VA appear to have acted quickly, according to an account of the response provided by a VA spokeswoman. The laptop in question was stolen April 22 from the personal vehicle of one of the contractor's employees, who immediately notified authorities. The contractor notified the VA the next day, and disabled both the user account and server access from the laptop. As of Monday, all affected vets have been mailed notification letters and credit protection offers.

The contractor has also installed whole-disk encryption for VA Pharmacy Services computers, of which the laptop in question was one. Laptops at VA Pharmacy Services have also been replaced by encrypted desktops, the VA is conducting an assessment of the contractor's facility, and began a review of other IT contracts for cybersecurity compliance.

The VA breach comes just over four years after the theft of a VA employee's laptop that had held sensitive personal data on 26.5 million veterans and 2.2 million service members. That breach eventually cost the VA $48 million in notification and a subsequent class action lawsuit.

Though the laptop in that case was eventually recovered, apparently without the data being used for nefarious purposes, the breach and another one a few months later (a Unisys-owned laptop with patient information that went missing) led to unanimously passed legislation meant to ensure the security of veterans' identity and credit information and to VA directives aimed at preventing future similar breaches.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.