Sensitive information on millions of U.S. military personnel and veterans remains at grave risk because of weak security controls that have not yet been fixed, government investigators said Wednesday.
In testimony to Congress, the Government Accountability Office and Veterans Affairs inspector general detailed ignored warnings, weak management and lax rules in their review of VA information security following the theft of 26.5 million military personnel’s private data last month.
They found that the Veterans Affairs Department routinely failed to control and monitor employee access to private information, did not restrict users to “need-to-know” data and often waited too long to terminate accounts when an employee quit or was fired.
The investigators also said the VA lacked a clear chain of command in enforcing security, noting the agency will need dramatically stronger leadership under VA Secretary Jim Nicholson to force reform after five years of repeated warnings about security.
“Much work remains to be done,” Linda Koontz, a director on information management at GAO, told the House Veterans Affairs Committee. “Only through strong leadership, sustained management commitment and effort, disciplined processes, and consistent oversight can VA address its persistent, long-standing control weaknesses.”
Congress is trying to determine whether the VA took proper steps to guard against the unauthorized disclosure of personal information in what has become one of the nation’s largest security breaches. The May 3 theft at a VA data analyst’s home involved names, birth dates and Social Security numbers.
The agency has acknowledged that the longtime midlevel employee — who has since been fired — improperly took the information home on an unsecured personal laptop for three years, apparently without his supervisor’s knowledge.
Since then, Nicholson has pledged several security initiatives, including additional training and a ban on employees using personal laptops to access the VA network. He also has hired a former Arizona prosecutor, Richard Romley, as a special adviser for information security, a new three-month post that will make additional recommendations.
But in their testimony Wednesday, government investigators said the problem was long-standing and much more widespread.
They pointed to repeated occasions in the last year in which VA employees passed along veterans’ medical information via unencrypted e-mail or were allowed to freely log into the VA secure network in their off-duty hours or even after they’ve been terminated.
In other instances, files were not adequately segregated or password-protected, making it easy for hackers to access the sensitive information.
When the VA was told of problems over the years, often it would make spotty improvements but fail to address reform agency-wide. The agency also has yet to put in place a security response program to monitor suspicious log-on activity, said Michael Staley, an assistant VA inspector general, in testimony.
“These conditions place sensitive information, including financial data and sensitive veteran medical and benefit information, at risk, possibly without detection of inadvertent or deliberate misuse, fraudulent use, improper disclosure or destruction,” Staley said.