Risk
5/14/2010
03:06 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Stolen VA Laptop Contains Personal Data

The theft of the laptop containing Veterans Administration data highlights the challenges of managing cybersecurity on devices belonging to contractors.

The Department of Veterans Affairs has suffered another possible breach of private data as a thief recently stole an unencrypted laptop that had held the social security numbers and other information of 616 veterans.

Although the VA hasn't found evidence that the data itself has been breached, the theft of the laptop, which was owned by a contractor and not the VA, highlights organizations' need to work closely with contractors on cybersecurity issues.

That need was also spotlighted last year when reports emerged that hackers had stolen sensitive data about the Pentagon's $300 billion Joint Strike Fighter's electronics systems that had been hosted on contractors' networks.

"We would like to express our deepest concern about the continued use of unencrypted devices within VA, despite the ongoing efforts to stop such use," Rep. Steve Buyer, R-Ind., the ranking minority party member of the House of Representatives' committee on veterans affairs, wrote in a May 12 letter to Shinseki, hinting at the fact that all devices connecting to VA networks -- even contractor laptops -- are required to be encrypted.

A seven-month cybersecurity review undertaken last year at the behest of VA secretary Eric Shinseki found that more than 28% of the VA's vendor contracts were missing required clauses about information security, and contractors on 578 contracts actually refused to sign the clauses.

Buyer's letter indicates that cybersecurity clauses were missing from 25 out of 69 contracts between the unnamed contractor whose laptop was stolen and the Department of Veterans Affairs. "I can only conclude from this incident that VA's procurement processes seriously lack standardization in content, fail to articulate requirements, and [lack] compliance oversight," Buyer wrote.

The VA said that 12 of the 14 contracts dealing with facilities affected by this breach had such clauses and that the contractor's employees who work regularly with the VA have taken VA privacy and cybersecurity training.

Upon the laptop's theft, both the contractor and the VA appear to have acted quickly, according to an account of the response provided by a VA spokeswoman. The laptop in question was stolen April 22 from the personal vehicle of one of the contractor's employees, who immediately notified authorities. The contractor notified the VA the next day, and disabled both the user account and server access from the laptop. As of Monday, all affected vets have been mailed notification letters and credit protection offers.

The contractor has also installed whole-disk encryption for VA Pharmacy Services computers, of which the laptop in question was one. Laptops at VA Pharmacy Services have also been replaced by encrypted desktops, the VA is conducting an assessment of the contractor's facility, and began a review of other IT contracts for cybersecurity compliance.

The VA breach comes just over four years after the theft of a VA employee's laptop that had held sensitive personal data on 26.5 million veterans and 2.2 million service members. That breach eventually cost the VA $48 million in notification and a subsequent class action lawsuit.

Though the laptop in that case was eventually recovered, apparently without the data being used for nefarious purposes, the breach and another one a few months later (a Unisys-owned laptop with patient information that went missing) led to unanimously passed legislation meant to ensure the security of veterans' identity and credit information and to VA directives aimed at preventing future similar breaches.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3991
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu pa...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.