Unencrypted thumb drive causes breach at VA

VA employee broke rules and plugged in personal drive at work

Two recent privacy breaches at the Veterans Affairs Department involved employees who disregarded information security protocols they were trained to follow, said Roger Baker, assistant secretary for information and technology at VA.

One incident involved an employee who plugged a personal unencrypted thumb drive into his computer at work and used it to inappropriately store Social Security numbers and other personal data for 240 veterans. The thumb drive was then lost inside a VA facility, found by a VA security guard, taken home by the guard and finally returned to VA officials, who declared the events a security breach.

In the other incident, a VA employee printed out Social Security numbers and other personal information on 180 veterans and took the papers home, where he typed the information into a Microsoft Word file on his home computer. When he tried to send the file to his work account via e-mail, VA's system flagged the message, resulting in discovery of the breach.


Related stories:

VA gets visibility with cybersecurity tool

Personal data of reservists, veterans at risk in recent thefts


All three employees, including the security guard, had received mandatory training in proper security and privacy protocols, which prohibit use of unauthorized devices at work and printing and taking personal data home, Baker said in a conference call with reporters Nov. 17. The workers have been counseled about the violations, although Baker declined to say whether specific disciplinary actions had been taken.

VA has 300,000 employees so those types of data breaches are nearly impossible to prevent, Baker said. But they are becoming easier to detect with the help of recently installed software that gives an overview of devices linked to the department’s network.

“By 2011, we will have visibility to every device,” he added.

All the veterans whose data was affected are being notified and offered credit monitoring services as a preventive measure against identity theft, he said.

Although the agency’s IT systems were working properly in both instances, worker error was the cause of the breaches. “I cannot count all the things that went wrong” in the two breaches, Baker said.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.