On Day Stolen VA Laptop and Disk Recovered, VA Announces They Also Lost a Backup Tape In A Different Location

Well…Jim Nicholson, the VA Secretary, must be relieved the much publicized stolen laptop and disk were recovered (more on that later), but then it he announced a backup tape "with more than 16,000 case records is missing from the Veterans Affairs regional office in Indianapolis."

Actually the backup tape was discovered missing on May 5, two days after the laptop and disk were stolen.  Why did they wait to announce this additional incident along with the news of the recovered laptop and disk?  Did the VA think that it would be just too overwhelming for the public to learn that the records of 26.5 million veterans and individuals in active service AND that a backup tape was missing?  Likely they didn’t want to look even more sloppy with information security practices…with incidents occurring at virtually the same time in different locations.  I guess yesterday they saw a good opportunity for a "we have some good news, and bad news" moment.

Or, did they plan not to report the lost backup tape at all, but then decided it would lessen the impact of that incident if they announced it WITH the news that the laptop and disk were recovered?  Both took way too long to be reported to those whose personal information were stored on the devices.

And the statements downplaying the likelihood that the data on the recovered laptop and disk wasn’t accessed are meant to be positive spin, but c’mon!  In this day and age a significant portion of th population know that complete disks and files can be copied without leaving any evidence of such activity.  Regarding the recovered laptop and disk…

"The FBI, in a statement from its Baltimore field office, said a preliminary review of the equipment by its computer forensic teams “has determined that the (Maryland) data base remains intact and has not been accessed since it was stolen.” More tests were planned, however."

Who knows…or will ever know?  It’s very possible the data was not copied.  But it’s also possible it was.  Why can’t the agencies involved with investigations be upfront with their statements and just admit that there is no way they can determine whether or not the data was copied?

Organizations who have incidents, thefts and losses need to realize there are tens of thousands of information security professionals who know better than to believe their spin…they should not release such downplaying comfort statements to the public in the same way a parent talks to their preschool child.  Not only will info sec pros see right through the spin, but those with no info sec savvy will gullibly believe that they have nothing to worry about.  People need to realize there are many more bad things that can be done with personal information than just commit identity theft…and the bad things can occur for a very long time after the incident. 

Technorati Tags

Leave a Reply