VA computer security sucks

Veterans Administration officials told Congress on Thursday that a department employee had been routinely taking home data on over 26 million veterans for over three years before it was stolen from his house in an apparent burglary May 3.

Jim Nicholson, Secretary of Veterans Affairs, said that he was not notified of the theft until May 16, and was outraged over the delay. So was Congress, in fact.

What’s more, he said “embedded cultural resistance” to change, or what you and I would call common bureaucratic inertia, was responsible for poor computer security practices in the department.

That inertia is beginning to dissolve, he told a joint hearing of the Veterans’ Affairs and Homeland Security and Government Affairs Committees.

“But I’m not going to tell you it’s what it should be,” he said in response to a question from Senator Susan Collins, the Maine Republican who heads the homeland security panel.

Mr. Nicholson said that just sending letters to veterans whose data was compromised — those discharged since 1975, plus some veterans getting disability compensation — would cost $11 million to $12 million. He did not specify how much the agency expected to spend on telephone banks, Web sites and other measures, but Ms. Collins said she expected him to have to ask for more money. — New York Times

So not only do 26 million veterans get screwed, we all wind up having to pay for it.

I’ve heard talk that this might not have been just a plain old burglary, but a specific attempt to get just that information. A burglary isn’t the best way to go about it, and in fact, because the crime is likely to get reported, everyone in that file (eventually) gets notified, and one would have to move fast to make use of the information. The proper way to commit this sort of crime is to copy the data, and leave the original in place, apparently undisturbed. Done properly, and with such a large data set, one could commit identity theft on many thousands of people for years before anybody ever figured out the connection–

You can be sure I’ll have more on just how badly computer security sucks at the VA in the future.