Infighting hurt VA data breach response, IG finds

The dysfunctional relationship of two senior executives at the Veterans Affairs Department, one a political appointee and the other a career civil servant, hindered the response to a massive early May data breach, according to an investigative report released Tuesday.

The bureaucratic infighting between Michael McLendon, deputy assistant secretary for policy, and Dennis Duffy, acting assistant secretary for policy, planning and preparedness within the VA's Office of Policy, Planning and Preparedness, contributed to the 13-day delay in notifying senior department leaders of the theft of personal information on more than 26 million individuals, the inspector general report stated.

Duffy, McLendon's direct supervisor, retired June 30 in connection with the data breach. McClendon believed that as a political appointee, he reported to VA Secretary James Nicholson and resented the fact that a "careerist" supervised him, Duffy told investigators.

For his part, McLendon, who resigned June 2 in the aftermath of the data breach, told the investigators that the office was one of the most dysfunctional organizations in VA and was one of the most hostile work environments "he ever set foot in."

The GS-14 analyst from whose home the data was stolen on May 3 immediately notified Kevin Doyle, a VA security and law enforcement policy operations team leader, of the theft, which he described as "a career-ending incident." The data analyst also notified McLendon, who told him to take the next day off to deal with the burglary, the report stated.

McLendon never followed up with the employee and never notified Duffy, who found out from an information security officer in a "casual hallway meeting" two days later, according to the report.

The VA has initiated the process of firing the analyst, who has not been identified by the department for privacy reasons. The IG report concluded that while the employee had an official need to use the database, he did not need to take it home. The IG, however, could not find any policy specifying how information should be protected outside agency systems.

According to the report, the employee took the data home in connection with a personal "fascination project" that he initiated himself and worked on at home on his own time.

In a report detailing the situation surrounding the data breach compiled by an information security officer, McLendon added an assertion, without consultation, that the data could not be accessed without a special application, but the IG found that was not accurate because investigators were able to print out portions of the data.

The employee's direct supervisor, Michael Moore, told the IG investigators that he had "no idea what projects the employee" was working on and did not understand the size or the contents of the databases the analyst was accessing routinely. According to McLendon, Moore was assigned direct supervision of the employee because of "intense disagreement" between McLendon and Duffy, the report stated.

Until May 9, when Thomas Bowman, Nicholson's chief of staff, was informed of the data breach, McLendon, Duffy and Dat Tran, acting director of the data management and analysis service in the policy office, failed to determine the significance of the data loss, believing the breach only affected around 26,000 veterans, the report said.

In meeting with Bowman to discuss the loss, Duffy said he did not see the situation as a crisis and stated that the VA does "not do crisis management," the IG found. Duffy told the inspector that his greatest regret was failing to recognize the magnitude of the incident.

Bowman told VA Deputy Secretary Gordon Mansfield of the data breach on May 10, but both officials waited until May 16 to inform Nicholson and only did so after they had learned from the IG office that the stolen equipment most likely included the personal information of 26.5 million people.

According to the IG, a primary reason for the delay was a lack of urgency from the officials who requested legal advice from the VA general counsel's office on the department's responsibilities to notify the affected individuals.

The IG report also criticized the information security officer responding to the data breach for failing to accurately describe the scope of the incident, as well as officials at the department's Security Operations Center for failing to make sure that the incident was properly investigated.

"At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating or notifying higher level officials of the data loss reacted with indifference and little sense of urgency or responsibility," the IG stated.

Johnny Davis, acting associate deputy assistant secretary for cybersecurity operations, transferred to another federal agency in a move unrelated to the security breach. Pedro Cadenas, the agency's chief information security officer, resigned effective Thursday because he was cut out of decision-making.

The report does not address why Nicholson waited six days, until May 22, to inform the affected veterans and Congress of the breach.