Although the VA hasn't found evidence that the data itself has been breached, the theft of the laptop, which was owned by a contractor and not the VA, highlights organizations' need to work closely with contractors on cybersecurity issues.
That need was also spotlighted last year when reports emerged that hackers had stolen sensitive data about the Pentagon's $300 billion Joint Strike Fighter's electronics systems that had been hosted on contractors' networks.
"We would like to express our deepest concern about the continued use of unencrypted devices within VA, despite the ongoing efforts to stop such use," Rep. Steve Buyer, R-Ind., the ranking minority party member of the House of Representatives' committee on veterans affairs, wrote in a May 12 letter to Shinseki, hinting at the fact that all devices connecting to VA networks -- even contractor laptops -- are required to be encrypted.
A seven-month cybersecurity review undertaken last year at the behest of VA secretary Eric Shinseki found that more than 28% of the VA's vendor contracts were missing required clauses about information security, and contractors on 578 contracts actually refused to sign the clauses.
Buyer's letter indicates that cybersecurity clauses were missing from 25 out of 69 contracts between the unnamed contractor whose laptop was stolen and the Department of Veterans Affairs. "I can only conclude from this incident that VA's procurement processes seriously lack standardization in content, fail to articulate requirements, and [lack] compliance oversight," Buyer wrote.
The VA said that 12 of the 14 contracts dealing with facilities affected by this breach had such clauses and that the contractor's employees who work regularly with the VA have taken VA privacy and cybersecurity training.
Upon the laptop's theft, both the contractor and the VA appear to have acted quickly, according to an account of the response provided by a VA spokeswoman. The laptop in question was stolen April 22 from the personal vehicle of one of the contractor's employees, who immediately notified authorities. The contractor notified the VA the next day, and disabled both the user account and server access from the laptop. As of Monday, all affected vets have been mailed notification letters and credit protection offers.
The contractor has also installed whole-disk encryption for VA Pharmacy Services computers, of which the laptop in question was one. Laptops at VA Pharmacy Services have also been replaced by encrypted desktops, the VA is conducting an assessment of the contractor's facility, and began a review of other IT contracts for cybersecurity compliance.
The VA breach comes just over four years after the theft of a VA employee's laptop that had held sensitive personal data on 26.5 million veterans and 2.2 million service members. That breach eventually cost the VA $48 million in notification and a subsequent class action lawsuit.
Though the laptop in that case was eventually recovered, apparently without the data being used for nefarious purposes, the breach and another one a few months later (a Unisys-owned laptop with patient information that went missing) led to unanimously passed legislation meant to ensure the security of veterans' identity and credit information and to VA directives aimed at preventing future similar breaches.