From: InfoSec News (alertsinfosecnews.org)
Date: Wed Jul 12 2006 - 00:43:34 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.washingtonpost.com/wp-dyn/content/article/2006/07/11/AR2006071101066.html

By Christopher Lee
Washington Post Staff Writer
July 12, 2006

A career analyst and top officials at the Department of Veterans Affairs
share the blame for the recent theft of sensitive personal data on
millions of veterans, federal investigators said yesterday.

In a 68-page report, VA Inspector General George J. Opfer recommended that
VA Secretary Jim Nicholson "take whatever administrative action deemed
appropriate" to punish officials who were slow to report and investigate
the May 3 theft of a laptop computer and an external hard drive from the
analyst's Aspen Hill home.

Opfer wrote that new security measures since the theft are "a positive
step" but are inadequate. Nicholson should establish "one clear, concise
VA policy on safeguarding protected information," he wrote.

The report, the product of a nearly two-month investigation, included no
new major findings about the theft and the department's handling of it --
subjects picked over for weeks in a series of congressional hearings and
in news stories.

It did, however, unearth previously undisclosed details, such as that the
stolen laptop itself contained no VA data, only the external drive did.
The report also found that, contrary to testimony by VA officials, the
thieves would not have needed to know how to use a statistical software
program to view the data.

The laptop and hard drive were recovered last month by law enforcement. VA
spokesman Matt Burns said the FBI informed the department yesterday that,
after a battery of forensic tests, investigators had a "high degree of
confidence" that the thieves had not accessed the data.

Robert Wallace, executive director of the Veterans of Foreign Wars, said
the IG report underscored the "lack of leadership" at VA. Senior officials
knew of the theft within an hour of when the employee reported it to local
police, but Nicholson was not told until almost two weeks later. He did
not inform the public until six days after that, on May 22.

"We're waiting for the secretary to act," Wallace said. "I want him to
take every action he has to clean that place up. The secretary seems to be
the poor guy sitting out on a limb; he's the last guy to know, and then he
responds."

In a statement, Nicholson said that "VA has embarked on a course of action
to wholly improve its cyber and information security programs." He added:
"The IG's report confirms that we must continue with our aggressive
efforts to reform the current system."

Nicholson earlier forced the retirement of Dennis Duffy, a longtime civil
servant who was the acting assistant secretary overseeing the division in
which the analyst worked. Michael McLendon, a political appointee who
supervised the analyst, resigned from the department soon after Nicholson
disclosed the theft to the public.

The analyst -- who the IG confirms took the data home without
authorization -- has been notified of his termination, but he is
challenging the firing. The analyst began taking the data home in 2003 for
a self-described "fascination project" to test the accuracy of a survey of
veterans by VA in 2001, the report said.

Rep. Lane Evans (Ill.), ranking Democrat on the House Committee on
Veterans Affairs, said in a statement: "The Secretary testified before our
Committee that he is 'mad as hell' about the data breach. He should be.
His actions in light of these IG findings will tell us if those words were
deeply felt or simply meant to engender sympathy under intense pressure."

2006 The Washington Post Company

_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]