Risk
8/13/2010
03:56 PM
50%
50%

VA Posts Data Breach Reports Online

Monthly updates show the different ways data has leaked out of the agency, including lost or stolen hardware and misdirected emails.

Once again showing that it's serious about transparency, the Department of Veterans Affairs (VA) has begun posting reports about data breaches on its website.

The monthly reports, which the agency compiles for Congress, list different ways the VA has lost data, such as through lost hardware or misdirected emails.

For example, a report (PDF) from July 5 to Aug. 1 shows the agency lost two PCs, 13 BlackBerry devices and six laptops. It also reported 103 of so-called "mis-mailed" incidents, and 90 "mis-handling" incidents.

All of the lost laptops were encrypted, according to the report.

In the past the VA has had some major data breaches, including one in April that involved the loss of two unencrypted laptops that contained personal information about more than 600 veterans.

Another infamous data breach in 2006 involved the theft from a VA employee's home of a laptop that contained data on more than 26 million veterans. That incident spurred a Congressional review, as well as cost the agency $20 million to settle a class-action suit.

The VA is taking its data breaches seriously enough that VA CIO Roger Baker has begun monthly calls with members of the press to discuss them.

Since taking his position, Baker has made a concerted effort to improve IT operations at the VA, with data security being a major priority.

The posting of the reports also shows how far the agency has come in terms of transparency and accountability for its IT operations, which historically have been criticized for serious inefficiency.

Baker has put into effect an accountability program that flags IT projects behind schedule, over budget, or both. That program, which was recently expanded to all of the VA's IT projects, saved the agency $54 million in its fiscal-year 2010 budget.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9209
Published: 2015-03-30
Untrusted search path vulnerability in the Clean Utility application in Rockwell Automation FactoryTalk Services Platform before 2.71.00 and FactoryTalk View Studio 8.00.00 and earlier allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.