Stolen VA laptop caught in safety net

Department’s mobile data security policies and practices prevented information breach

Agencies lag on security

Some agencies have not yet established security policies as the Office of Management and Budget directed them to do after a well-publicized security incident at the Veterans Affairs Department in 2006. VA computer equipment and data on 25.6 million veterans and their families was stolen. Government auditors released these figures in February to show the actions that agencies have taken to implement the security policies that OMB mandated after the 2006 laptop PC theft.

Encrypt mobile data:

Done: 22 agencies

Not done: 2 agencies

Add two-factor authentication:

Done: 14 agencies

Not done: 10 agencies

Add time-out function:

Done: 15 agencies

Not done: 9 agencies

Log computer extracts:

Done: 11 agencies

Not done: 13 agencies

Source: Government Accountability Office

The Veterans Affairs Department lost another laptop PC, but the department was better prepared this time.

When an employee at VA’s Austin Corporate Data Center in Texas had his laptop stolen from his apartment last month, the department’s revamped security policies and new security technologies were put to the test. Unlike what happened when a VA laptop was stolen in 2006, data on the newly missing laptop was protected by encryption, and VA officials knew exactly what equipment was missing.

“The safety net held,” said Adair Martinez, VA’s deputy assistant secretary for information protection and risk management. “Even though it can be hard to carry out some of the controls we require, the reward is that government information can’t be violated.”

In May 2006, when another employee had a laptop stolen that contained millions of veterans’ records, VA quickly established new policies, procedures and technology fixes to tighten data security. Experts say this latest VA incident shows that the department learned from its experience.    

VA protected the laptop with GuardianEdge full-disk encryption. No one lacking proper authentication could do more than turn on the computer. The encryption software would block unauthorized users from accessing the data, Martinez said.    

In the latest incident, the employee immediately reported the theft to VA and the Austin police department. Because VA followed information technology security policies and procedures, officials could determine that no sensitive data resided on the laptop.

VA had maintained its asset management inventory processes, so officials knew what equipment was missing. Employees are required to bring their laptops into their office’s IT shop at least every 30 days to receive software updates. Technicians upgrade Microsoft Windows, antivirus, intrusion-detection and encryption software during those updates, Martinez said.

On the evening of the theft, Austin police recovered the laptop in a raid on a convenience store suspected of involvement in drug activity. Police noticed the VA insignia flashing on a laptop running in the back of the store. Believing it might be stolen government property, the police took possession of it and notified the Homeland Security Department, which contacted VA and returned it. The only damage was a broken lock. The employee whose laptop was stolen had permission to bring the laptop home, where he had locked it down to furniture.

After the 2006 incident, OMB directed agencies to encrypt mobile data, implement a timeout function that requires reauthentication, and establish policies for logging computer-readable extracts from databases holding sensitive information.   

“Agencies are encrypting all data — data at rest, data that is mobile,” said Karen Evans, OMB’s administrator for e-government and IT. “We also are using two-factor authentication, which makes sure only authorized people are on your network.”

Data security policies and procedures are needed, but encrypting the data is what protected VA, said Alan Paller, research director at the SANS Institute. VA should be commended for having accomplished that, he said. “Encrypting data is the only defense against attacks right now.” 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected