IG slams VA for 'indifference' to laptop theft

Officials at the Department of Veterans Affairs acted with indifference and little sense of urgency when someone stole a laptop computer and hard drive from a VA employee’s home May 3, according to a report by the department’s inspector general. The theft potentially exposed some 26.5 million records of active and retired military personnel.

The IG report was especially critical of Michael McLendon, then deputy assistant secretary for policy, who rewrote the employee’s account of the incident before passing it on to his superior, Dennis Duffy, former acting assistant secretary for policy, planning and preparedness.

According to the report, McLendon told Duffy of his intention to rewrite the document, which he submitted to Duffy May 8.

“Our review of Mr. McLendon’s revisions determined that his changes were an attempt to mitigate the risk of misuse of the stolen data,” the IG said. According to the report, McLendon suggested that a software program protected the stolen personal data by making access difficult. “This, however, was not the case,” the report states.

The report blames Duffy for failing to perceive the importance of the incident and not talking to the employee.

The IG said McLendon and Duffy bear responsibility “for the impact that their strained relationship, which both acknowledged,” may have had on the response to the incident. Both are no longer with VA.

The IG also criticized John Baffa, deputy assistant secretary for security and law enforcement, and Thomas Bowman, chief of staff, for their lax response. The report notes that at nearly every step, VA officials “reacted with indifference and little sense of urgency or responsibility” to the data theft.

It states that 12 days after receiving the incident report, the VA Security Operations Center, which is responsible for assessing and resolving information security incidents, still had made “no meaningful progress in assessing the magnitude of the event.”

According to the IG, an external drive carried the personal records and was stolen with the employee’s laptop, which did not contain VA data. The FBI recovered the laptop and drive nearly two months later.

The IG report said that although the employee had authorized access to veterans’ personal data at work, supervisors were unaware that he had been using the records at home since 2003 for a self-initiated project. The supervisors insisted they would not have authorized him to take home such large amounts of VA data.

The report states that the employee used extremely poor judgment and failed to encrypt the data or use a password to protect it. “The serious error in judgment is one for which the employee is personally accountable,” it states.

It notes that the VA “has already proposed administrative action” against the employee, but he will not be prosecuted for criminal activity.

The “VA has embarked on a course of action to wholly improve its cyber and information security programs,” VA Secretary Jim Nicholson said in a statement issued today. “The IG’s report confirms that we must continue with our aggressive efforts to reform the current system.”

“VA remains unwavering in its resolve to become the leader in protecting personal information, training and educating our employees in best practices, and establishing a culture that always puts the safekeeping of veterans’ personal information first,” Nicholson said.

Senate Veterans’ Affairs Committee chairman Larry Craig (R-Idaho) said the report is “a stinging indictment of a security system that was lax to nonexistent.”

“I want VA to spell out exactly what they have done and what they intend to do to protect the data of our nation’s veterans,” Craig said.

Craig has scheduled a committee hearing July 20, and Nicholson and IG George Opfer will testify.

The FBI has told the VA that it has completed its forensics examination of the laptop and hard drive.

“The FBI has indicated to VA that it has a high degree of confidence -- based on the results of the forensic tests and other information gathered during the investigation -- that the sensitive files were not accessed or compromised,” VA spokesman Matthew Burns said in a statement.