Unencrypted thumb drive causes breach at VA

Two recent security incidents at the Veterans Affairs Department involved employees who didn't follow protocols despite receiving training to do so.

Two recent privacy breaches at the Veterans Affairs Department involved employees who disregarded information security protocols they were trained to follow, said Roger Baker, assistant secretary for information and technology at VA.

One incident involved an employee who plugged a personal unencrypted thumb drive into his computer at work and used it to inappropriately store Social Security numbers and other personal data for 240 veterans. The thumb drive was then lost inside a VA facility, found by a VA security guard, taken home by the guard and finally returned to VA officials, who declared the events a security breach.

In the other incident, a VA employee printed out Social Security numbers and other personal information on 180 veterans and took the papers home, where he typed the information into a Microsoft Word file on his home computer. When he tried to send the file to his work account via e-mail, VA's system flagged the message, resulting in discovery of the breach.


Related stories:

VA gets visibility with cybersecurity tool

Personal data of reservists, veterans at risk in recent thefts


All three employees, including the security guard, had received mandatory training in proper security and privacy protocols, which prohibit use of unauthorized devices at work and printing and taking personal data home, Baker said in a conference call with reporters Nov. 17. The workers have been counseled about the violations, although Baker declined to say whether specific disciplinary actions had been taken.

VA has 300,000 employees so those types of data breaches are nearly impossible to prevent, Baker said. But they are becoming easier to detect with the help of recently installed software that gives an overview of devices linked to the department’s network.

“By 2011, we will have visibility to every device,” he added.

All the veterans whose data was affected are being notified and offered credit monitoring services as a preventive measure against identity theft, he said.

Although the agency’s IT systems were working properly in both instances, worker error was the cause of the breaches. “I cannot count all the things that went wrong” in the two breaches, Baker said.