Skip Links

VA still lags on encryption

By Taylor Armerding, CSO
November 30, 2012 11:37 AM ET

CSO - More than six years after the Veterans Administration (VA) suffered one of the worst data breaches in history, it is still a long way from closing off the vulnerability that made the breach possible: lack of encryption.

It was on May 3, 2006, that a laptop and external hard drive containing an unencrypted national database with names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans, active-duty military personnel and spouses was stolen from a VA analyst's Maryland home.

Security snafus of 2012

The laptop was returned almost two months later by an unknown person, but the VA still spent about $20 million to notify those whose information had been compromised and for credit monitoring.

Three months later, in August, the VA secretary ordered the agency's Office of Information Technology (OIT) to upgrade all VA lap and desktop computers with enhanced data security encryption software.

But today, more than 80% of the VA's computers are unencrypted, even though the agency spent $5.9 million for 300,000 Guardian Edge (now owned by Symantec) encryption software licenses in 2006, and another 100,000 licenses in 2011.

The VA, in a statement, contends that 99% of its laptops now carry the encryption software.

But a report issued last month by the VA's Office of the Inspector General (OIG) found that as of this past July, the VA had, "installed and activated only a small portion, about 65,000 (16%), of the total 400,000 licenses procured, [even though]our annual Federal Information Security Management Act reviews have repeatedly identified the need for VA to address information security weaknesses, including inadequate implementation and enforcement of oversight controls over access to information systems."

The number could be even less than 65,000. The report said it could include duplicate counts "when computers are turned off, reimaged, then turned on again or when computers are upgraded and not scrubbed."

"[The 65,000 is]A'A the number of computers that had logged into the Guardian Edge/Symantec server within the previous 90 days," the report said.

This, the report said, was due to inadequate planning and management of the project, which included the fact that the VA bought the software without knowing if it was compatible with their computers, and failed to allow time to test the software to ensure compatibility.

Not surprisingly, the report's conclusion was not reassuring. "Veterans' personally identifiable information remains at risk of inadvertent or fraudulent access or use," it said.

[See also: The 15 worst data security breaches of the 21st Century]

"[The VA] has successfully encrypted over 99% of our laptop computers. We have begun deploying Windows 7 with Symantec Full Disk Encryption across the VA enterprise," a statement provided by spokeswomanA'A Josephine Schuda said.A'A "The rate of deployment will be approximately 2% per week, with expected completion of September 30, 2013. We are committed to installing and activating all of the purchased encryption licenses."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News