BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Congress turns up heat on VA data breaches

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 5 Nov 2013 22:01:23 -0700
http://fcw.com/articles/2013/11/04/congress-investigates-va-data-breaches.aspx

The congressional investigation into the Department of Veterans Affairs IT
security protocols has ramped up after VA officials gave inconsistent
explanations for at least nine state-sponsored data breaches since 2010
that potentially put at risk the private information of more than 20
million veterans and their families.

The House Veterans Affairs Committee has directed six formal inquiries to
VA's Office of Information and Technology since Oct. 23, totaling more than
100 predominantly yes-or-no questions concerning routine IT security
practices and standards mandated by federal law, including theFederal
Information Security Management Act (FISMA).

Rep. Mike Coffman (R-Colo.), chairman of the Subcommittee on Oversight and
Investigations, demanded VA responses to all six inquiries by Nov. 14.

VA's recent track record for responding to congressional inquiries has been
poor. According to one Capitol Hill official familiar with the
investigation, VA has 111 outstanding information requests dating back to
June 2012.

The latest batch stems from revelations that multiple actors have
compromised VA computer networks since March 2010, with VA officials unable
to determine what information was exposed because the agency failed to
comply with FISMA.

Some of the apparently-breached systems contained unencrypted personally
identifiable information regarding veterans and their dependents. Committee
Chairman Jeff Miller (R-Fla.) and ranking Democrat Mike Michaud of Maine
called that a "disturbing revelation" in a letterto VA Secretary Eric
Shinseki after a June 4 hearing that saw VA officials provide conflicting
information about the degree and nature of the breaches.

A source within VA OIT told FCW that no veteran's personally identifiable
information, such as names or Social Security numbers, was exfiltrated
during any intrusion attempts.

The source, who spoke on condition of anonymity, said the only compromised
data appears to be "domain server information" that resulted in "somebody
swiping IP [addresses] and passwords for system administrators, which
resulted in immediate shutdown."

"There are intrusions and there are intrusion attempts. Not all intrusion
attempts result in a breach of data," the source said, attributing some of
Congress' renewed investigatory vigor to a miscommunication of definitions.

"This is no repeat of the 2006 incident," the source added. In that
incident, someone stole a VA laptop from a VA employee's home. The theft
potentially exposed personal information, cost the agency tens of millions
of dollars and led to the creation of the VA's Data Breach Core Team, which
investigates data breaches and determines whether the agency will offer
credit monitoring services to veterans in suspected breaches. The agency
offered credit monitoring to 16,000 veterans in 2012, but a breach of every
veterans' personal data could cost the agency hundreds of millions of
dollars in credit monitoring alone, the source said.

Congress' dogged interest has created a "stressed environment" within OIT,
where only about 20 of its 8,000 employees are compiling responses to the
inquiries, according to the source. Many questions posed by Congress to VA
contain sub-questions or require documentation, "making it more like 500 or
600 questions." The source said the agency is tackling the easier questions
first in an effort to respond by the approaching deadline.

The source said the inquiries have added turmoil to a department that
recently returned half its workforce from government shutdown and has a
history of well-documented problems.

"It's another full-time job for a lot of folks, and the anticipation in
submitting these questions is that it will beget more and they'll come back
until they get a 'gotcha,'" the source said.

The Hill official familiar with the probe says the intention is not to
burden the agency but to get answers to questions that should not be
unfamiliar to any large IT organization. "These inquiries aren't meant to
create extra work for VA. They are meant to make sure the agency is
adhering to the laws, standards and guidelines they should already be
doing," the Hill source said.

VA did not respond to multiple requests for comment.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: