VA mandates new background checks in wake of data loss

In the wake of one of the largest information security breaches in the history of U.S. government, the Veterans Affairs Department is reviewing employee access to sensitive data and requiring new background checks.

Testifying before House and Senate committees Thursday, VA Secretary James Nicholson accepted responsibility for the security breach and said the department is reviewing all positions requiring access to sensitive data. Once this is complete, employees granted access will undergo new security and background investigations.

By the end of June, all agency employees must complete cybersecurity training and privacy awareness courses and sign a statement acknowledging the consequences for noncompliance, Nicholson said.

The department is sending individuals affected by the security breach notification through the mail that their Social Security numbers and other personal data have been stolen, and has established toll-free numbers to answer inquiries and provide information about consumer-identity protection, Nicholson said.

The theft of the data, which includes the names and birth dates of up to 26.5 million veterans, including about 100 spouses, occurred May 3 when the home of a VA data analyst was burglarized in what authorities believe was a routine break-in. Social Security numbers for some 19.6 million of those veterans were on the stolen property, as was information relating to employee disability compensation.

The unnamed employee, who is on administrative leave pending the outcome of an investigation, had been regularly downloading agency data and working on it from home since 2003, VA officials said. Law enforcement officials have said they are fairly confident the data was not the target of the break-in, because other sensitive data was left at the employee's home.

"I am outraged that this employee would do this so recklessly," Nicholson said. "I can tell you, as a 34-year veteran myself, I am mad as hell. I must carry on and get to the bottom of this … to see that this doesn't happen again."

Members of Congress also were angered by the security breach. Rep. Bob Filner, D-Calif., said Nicholson should resign.

Many lawmakers raised issue of the dismal cybersecurity grades the department has received over the past five years from the House Government Reform Committee. But officials from the VA's inspector general office said the incident relates more to the provisions in the 1974 Privacy Act than to the laws governing agency information technology security.

House Veterans' Affairs Committee Chairman Steve Buyer, R-Ind., asked that the department consider a $1 million reward for information leading to the arrest of the perpetrator and recovery of the information, noting that the VA already has requested a $25 million reprogramming of funding to deal with the fallout.

The data breach could cost the agency more than $100 million, depending on what officials decide to do, Nicholson said. He is considering disciplinary action against other agency employees for the breach.

Nicholson said VA's steps to consolidate its IT systems and centralize authority for enforcing policies in the chief information officer's office are progressing. He said he is concerned that employees can access sensitive agency data from remote locations and is trying to determine how many are telecommuting.

Nicholson said he was not notified of the theft until May 16, and that he is gravely concerned about the timing of the department's response. Several officials offered their resignations due to the lengthy delay in reporting and responding to the threat, but Nicholson has not accepted any of them.

VA Inspector General George Opfer testified that his information security officer overheard at a routine meeting one week after the incident that electronic records might have been stolen. Two days later, on May 12, the IG's office initiated a criminal investigation, and on May 15, the employee was interviewed.

On May 16, the IG office met with employees in the local police department investigating the matter and informed them of the suspected loss of the veterans' personal data. On May 17, the FBI was notified.

"The chronology that you gave us is absolutely baffling," said Senate Homeland Security and Governmental Affairs Chairwoman Susan Collins, R-Maine. "It's just inconceivable that there were such long delays."

Opfer said he wanted to notify the affected veterans sooner, but law enforcement officials were concerned that doing so would tip off the perpetrators.