Unencrypted thumb drive causes breach at VA

VA employee broke rules and plugged in personal drive at work

Two recent privacy breaches at the Veterans Affairs Department involved employees who disregarded information security protocols they were trained to follow, said Roger Baker, assistant secretary for information and technology at VA.

One incident involved an employee who plugged a personal unencrypted thumb drive into his computer at work and used it to inappropriately store Social Security numbers and other personal data for 240 veterans. The thumb drive was then lost inside a VA facility, found by a VA security guard, taken home by the guard and finally returned to VA officials, who declared the events a security breach.

In the other incident, a VA employee printed out Social Security numbers and other personal information on 180 veterans and took the papers home, where he typed the information into a Microsoft Word file on his home computer. When he tried to send the file to his work account via e-mail, VA's system flagged the message, resulting in discovery of the breach.


Related stories:

VA gets visibility with cybersecurity tool

Personal data of reservists, veterans at risk in recent thefts


All three employees, including the security guard, had received mandatory training in proper security and privacy protocols, which prohibit use of unauthorized devices at work and printing and taking personal data home, Baker said in a conference call with reporters Nov. 17. The workers have been counseled about the violations, although Baker declined to say whether specific disciplinary actions had been taken.

VA has 300,000 employees so those types of data breaches are nearly impossible to prevent, Baker said. But they are becoming easier to detect with the help of recently installed software that gives an overview of devices linked to the department’s network.

“By 2011, we will have visibility to every device,” he added.

All the veterans whose data was affected are being notified and offered credit monitoring services as a preventive measure against identity theft, he said.

Although the agency’s IT systems were working properly in both instances, worker error was the cause of the breaches. “I cannot count all the things that went wrong” in the two breaches, Baker said.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Mon, Jan 3, 2011

No doubt these employees got a verbal chastisement (read that as shuckin' 'n jive'n round the water cooler). Then business as usual.

Mon, Nov 22, 2010 GOA Omaha

When I have seen these breach disclosuires in the past the one discussion that seems to be missing is why these folks felt they needed to committ these acts in order to do their jobs. Were they prevented from getting such information in the first place? Was there a task they needed to complete quickly that was impossible without such a breach? It is not just the act of breach that we must question, it is the prevention of the need to breach by looking at how data is intended to be used. The process to get permission to use data for a legitimate need is onerous and time-consuming, and generally based on paper documents. Our needs for data are far outpacing our regulations and directives. Prevention includes management of data, not just putting locks on the doors. Someone is always going to kick the door in if the boss is demanding a report.

Sat, Nov 20, 2010 Bob McPherson Nags Head NC

Good Job Roger Baker. On many differnet levels this was a success. Public acknowledement of the issue makes it transparent and should help educate VA employees that this is being taken seriously by management. And the fact that Roger Baker is personally involved is a positive sign that it is taken seriously at the very top. Nothing will prevent these incidents, but top management attention will reduce them. Good Job.

Fri, Nov 19, 2010

It would be interesting to know if the employee that printed the email and sent them back to their business email was working allowed to work from home, what department did he work for and what charges were filed?

Fri, Nov 19, 2010 Carlo Sametini

Are we on the same page. Dismissal is mandatory,Is it not? Or are we excusing the fact as,as usual? And give the employees a negative work review!

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above