Security Problems Linger at VA

Despite highly publicized breach, Veterans Affairs' IT efforts still coming up short, according to GAO report

Tim Wilson, Editor in Chief, Dark Reading, Contributor

September 20, 2007

2 Min Read

The U.S. Department of Veterans' Affairs, site of one of last year's most infamous security breaches, still has not done enough to eliminate all of its vulnerabilities, the Government Accountability Office said yesterday.

In a new report, the GAO says the VA has made some progress in fixing its IT woes, but there's still much work to be done.

The VA came under fire last year when a laptop containing personal information of some 26.5 million veterans was stolen from the home of one of its employees. The incident cost the employee -- and the deputy assistant secretary of the VA -- their jobs and raised major questions about laptop security policies at the agency and elsewhere. (See VA Data Loss Worse Than Expected.)

"Some progress has been made: For example, the department took actions to improved controls over IT equipment, such as issuing several new policies to establish guidance and controls for information security," the GAO reports. "But because the realignment was not yet fully implemented, improved processes for inventory control had not been established."

In other words, the VA still doesn't know where many of its computers are. In a statistical test of the VA's inventory system, the GAO identified a total of 123 missing IT equipment items, including 53 computers that could have stored sensitive data.

"The lack of user-level accountability and inaccurate records on status, location, and item descriptions make it difficult to determine the extent to which actual theft, loss, or misappropriation may have occurred without detection," the GAO said.

The GAO also found that four VA locations had reported more than 2,400 missing IT equipment items, valued at $6.4 million, identified during physical inventories performed during fiscal 2005 and 2006: "Missing items were often not reported for several months, and in some cases, several years."

In addition, the GAO found hard drives in the excess property disposal process at two of the four locations that still contained personal information, including veterans' names and Social Security numbers.

VA officials acknowledged the report's accuracy and said that changes are under way to resolve the vulnerabilities.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights