Unencrypted thumb drive causes breach at VA

VA employee broke rules and plugged in personal drive at work

Two recent privacy breaches at the Veterans Affairs Department involved employees who disregarded information security protocols they were trained to follow, said Roger Baker, assistant secretary for information and technology at VA.

One incident involved an employee who plugged a personal unencrypted thumb drive into his computer at work and used it to inappropriately store Social Security numbers and other personal data for 240 veterans. The thumb drive was then lost inside a VA facility, found by a VA security guard, taken home by the guard and finally returned to VA officials, who declared the events a security breach.

In the other incident, a VA employee printed out Social Security numbers and other personal information on 180 veterans and took the papers home, where he typed the information into a Microsoft Word file on his home computer. When he tried to send the file to his work account via e-mail, VA's system flagged the message, resulting in discovery of the breach.


Related stories:

VA gets visibility with cybersecurity tool

Personal data of reservists, veterans at risk in recent thefts


All three employees, including the security guard, had received mandatory training in proper security and privacy protocols, which prohibit use of unauthorized devices at work and printing and taking personal data home, Baker said in a conference call with reporters Nov. 17. The workers have been counseled about the violations, although Baker declined to say whether specific disciplinary actions had been taken.

VA has 300,000 employees so those types of data breaches are nearly impossible to prevent, Baker said. But they are becoming easier to detect with the help of recently installed software that gives an overview of devices linked to the department’s network.

“By 2011, we will have visibility to every device,” he added.

All the veterans whose data was affected are being notified and offered credit monitoring services as a preventive measure against identity theft, he said.

Although the agency’s IT systems were working properly in both instances, worker error was the cause of the breaches. “I cannot count all the things that went wrong” in the two breaches, Baker said.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.