The U.S. Department of Veterans' Affairs, site of one of last year's most infamous security breaches, still has not done enough to eliminate all of its vulnerabilities, the Government Accountability Office said yesterday.

In a new report, the GAO says the VA has made some progress in fixing its IT woes, but there's still much work to be done.

The VA came under fire last year when a laptop containing personal information of some 26.5 million veterans was stolen from the home of one of its employees. The incident cost the employee -- and the deputy assistant secretary of the VA -- their jobs and raised major questions about laptop security policies at the agency and elsewhere. (See VA Data Loss Worse Than Expected.)

"Some progress has been made: For example, the department took actions to improved controls over IT equipment, such as issuing several new policies to establish guidance and controls for information security," the GAO reports. "But because the realignment was not yet fully implemented, improved processes for inventory control had not been established."

In other words, the VA still doesn't know where many of its computers are. In a statistical test of the VA's inventory system, the GAO identified a total of 123 missing IT equipment items, including 53 computers that could have stored sensitive data.

"The lack of user-level accountability and inaccurate records on status, location, and item descriptions make it difficult to determine the extent to which actual theft, loss, or misappropriation may have occurred without detection," the GAO said.

The GAO also found that four VA locations had reported more than 2,400 missing IT equipment items, valued at $6.4 million, identified during physical inventories performed during fiscal 2005 and 2006: "Missing items were often not reported for several months, and in some cases, several years."

In addition, the GAO found hard drives in the excess property disposal process at two of the four locations that still contained personal information, including veterans' names and Social Security numbers.

VA officials acknowledged the report's accuracy and said that changes are under way to resolve the vulnerabilities.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.