Another VA Computer Missing Containing Personal Data on 38,000 Vets…Are We Surprised?

It was disappointing, but not really surprising, to read in Computerworld today that another VA computer was missing.  What is a bit unusual was that it was a desktop computer, as opposed to the typical missing/lost laptop, notebook, or handheld computer.  This time it was a Unisys contractor who was using the computer.

"VA officials are also working with Unisys regarding an offer of credit monitoring and individual notifications to those who may be affected."

Gee…this is kinda "deja vu all over again," isn’t it?  The veterans were initially offered credit monitoring with their last incident but then the government cancelled that offer when the computer and disk were found months later.  IF a credit monitoring offer is made, you think they will retract the offer…again…as soon as, and if, the computer is found…even though someone intentionally stole the computers?

"The loss of this computer comes just two days after Montgomery County Police in Maryland announced the arrests of two men accused of stealing a VA laptop and hard drive that contained identifying information on 26.5 million of veterans and active-duty military personnel in May. That laptop was recovered in June and the VA does not believe that any of the personal information contained on it was compromised."

Yah…right…there is no way that you can tell for certain that data has or has not been copied.  If these two men stole the computer and hard drive they very well could have made a copy, or several copies, of the data to use for years into the future.  Sensitive data on 26.5 million people is a pretty good retirement plan.

""[The] VA is making progress in efforts to reform its information technology and cyber security procedures, but this report of a missing computer at a subcontractor’s secure building underscores the complexity of the work ahead as we establish VA as a leader in data and information security," said Nicholson in the statement."

Organizations of every size need to be diligent about information security practices. Small and medium sized businesses often do not have dedicated information security personnel on staff to comprehensively address security issues.  Some organizations are such behemoths that a centralized information security office with too few employees cannot effectively address security throughout the entire organization.  Veterans Affairs is such a behemoth, with 235,974 employees…not to mention thousands of contractors…at the beginning of the year; with around 500 information security officers.  So, significantly less than 1% of the staff…around 0.2%…are responsible for securing a vast amount of sensitive data on "approximately 70 million people" that is scattered among potentially thousands of locations. 

I believe many more organizations lose laptops, notebooks, handhelds, storage media and so on than are ever reported…even with today’s breach notification laws.  I know in speaking with several organizations that many of these losses and thefts are reported to physical security and the insurance claimed on the hardware value, and the information security department often does not find out until days, weeks, or even months later, if ever at all, and then there is often no idea of the types of data that were on the devices.

This situation points out some important lessons for organizations.

  • You need to have enough people responsible for information security to have effective information security.
  • You need to have policies and procedures in place to ensure the security of laptops, storage devices, and end-user computers, and enforce them consistently.
  • You need to have a comprehensive inventory of data and computing devices so you don’t misplace important information.
  • You need to perform consistent and effective security program reviews of the organizations to whom you entrust your information and processing of sensitive information so that their sloppy and/or insecure practices do not end up putting your organization at risk, or result in significant negative impact to your organization.
  • The more distributed data is, and the more mobile data is, the more at risk data is. 
  • The more you depend upon end-users for securing information, the more information security and privacy education, training and awareness, must be provided on an ongoing basis.

Technorati Tags








Leave a Reply