- Is the Cisco MARS mission going to abort?
- First iPhone worm spreads Rick Astley wallpaper
- 10 stunning 3D buildings made with Google SketchUp
- Open source software ready for big business
- Four reasons to buy (and one reason to avoid) the Droid
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
In this brief series of articles, I’ve been recounting the tale of data losses at the Department of Veterans Affairs (VA). The next column will be the last in the series.
On Monday, August 7, 2006, Secretary Nicholson announced that a Unisys subcontractor working for the VA offices in Philadelphia and Pittsburgh had reported that his desktop computer was missing. The computer contained PII for 18,000 and possibly up to 38,000 veterans.
A week later (August 14), the VA announced that it would spend $3.7 million on encryption software and would encrypt data on all the department’s computers and external data storage media or devices. Installation would being Friday Aug. 18.
In mid-September, the stolen Unisys desktop computer with VA data was located and a temporary employee working on subcontract to Unisys was arrested and charged in the theft.
In October 2006, the Congressional Committee on Oversight and Government Reform published a report on data losses in U.S. government agencies since January 1, 2003. There were 788 incidents in 19 agencies – in addition to hundreds of incidents at the VA. The report’s findings included these bald assertions:
1. Data loss is a government-wide occurrence. . . .
2. Agencies do not always know what has been lost. The letters received by the Committee demonstrate that, in many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete. For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, “the Department did not track the content of lost, stolen, or otherwise compromised devices.”
3. Physical security of data is essential. Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees.
4. Contractors are responsible for many of the reported breaches. Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors.
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (5)
Veterans Administration should be ashamed of the way it's dealing with that data breachBy Anonymous on June 12, 2007, 11:14 amIt's interesting that the letter states, in so many words, that (a) we (the VA) lost your data, and (b) the victim (recipient of the letter) whose personal data...
Reply | Read entire comment
VA Loss of DataBy Anonymous on June 13, 2007, 8:41 amI notice the letter stated that the PII was being used for research. Canada's Protection of Privacy Act requires that personal data may only be used for what it...
Reply | Read entire comment
In CanadaBy Anonymous on June 21, 2007, 2:26 pmFortunately, in Canada, the vast majority of the population (including hackers & thieves) are too stupid to understand IT security or even how to breach it (if it...
Reply | Read entire comment
As a US Army Veteran am very, very gratefulBy Brad Reese on June 21, 2007, 6:45 pmAs a US Army Veteran, I thank the US Department of Veterans Affairs every single day for the superb and excellent medical care they provide me and my fellow veterans. There...
Reply | Read entire comment
Automated harassmentBy Anonymous on June 29, 2007, 3:21 pmI was subjected to this kind of harrasement for well over a decade by Verizon in conjuction with another corporation. The only way out, for me was, to drop my landline...
Reply | Read entire comment
View all comments