Officials probe latest VA data breach

The Veterans Affairs Department's fiscal 2008 budget request released earlier this week reflects an emphasis on information security, coming as another investigation of a data breach hangs over the department.

The FBI and the VA inspector general are investigating the Jan. 22 disappearance of an external hard drive from an agency facility in Birmingham, Ala. The hard drive potentially could contain personal information on 48,000 veterans. VA spokesman Matt Burns said initial reports show encryption policies "were not strictly followed."

"I am concerned about this report," VA Secretary James Nicholson said. "We intend to get to the bottom of this, and we will take aggressive steps to protect and assist anyone whose information may have been involved."

The incident marks the third major breach at the VA in less than a year. In May 2006, the theft of computer equipment containing sensitive information from an employee's home put 26.5 million people at risk for identity theft. Four months later, another breach put at risk the personal data of up to 38,000 people. In both instances, the data was recovered and officials determined it was probably not touched.

The VA's budget proposal for fiscal 2008 would provide $70.1 million for cybersecurity-related activities to support a pledge from Nicholson to make the department "the gold standard" in IT security. Overall, the VA's IT request of $1.56 billion is $41 million less than the fiscal 2007 request but $722 million more than the estimated amount provided by congressional appropriators for fiscal 2007.

In December, Bob Howard, VA's chief information officer, said the department had taken steps to better protect personal information but still had work to do.

The salaries for 5,219 IT employees, totaling $555 million, are being transferred to Howard's control, and the department's IT application development employees are scheduled to transfer later this year.

Howard's Office of Information and Technology is conducting a separate review of the latest missing data. The hard drive involved was used to back up information contained on the employee's office computer and may have contained data from research projects the employee was working on.

The VA inspector general was notified about the breach a day after the hard drive was discovered to be missing, and immediately opened a criminal investigation. The employee's work computer has been seized and the contents are being analyzed in an attempt to help determine what was on the hard drive, VA officials said.

In addition to the ongoing criminal investigation, the IG has started an administrative review to determine how the incident occurred.

According to department officials, the employee said that while the hard drive may have contained information that could identify some veterans, portions of the data were protected.

Pending results of the investigation, the VA will send individual notifications and provide one year of free credit monitoring to those whose information may have been compromised.

"VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber- and information security," Nicholson said. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task."

"This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken," he added.

Bob Filner, D-Calif., chairman of the House Veterans' Affairs Committee, said in a statement that "there is no excuse for storing sensitive personal information about our veterans on portable government equipment that is not secure."

"This type of problem happened last May and we were very lucky to recover that hard drive -- we are not always going to be that fortunate," he said.