Unencrypted thumb drive causes breach at VA

VA employee broke rules and plugged in personal drive at work

Two recent privacy breaches at the Veterans Affairs Department involved employees who disregarded information security protocols they were trained to follow, said Roger Baker, assistant secretary for information and technology at VA.

One incident involved an employee who plugged a personal unencrypted thumb drive into his computer at work and used it to inappropriately store Social Security numbers and other personal data for 240 veterans. The thumb drive was then lost inside a VA facility, found by a VA security guard, taken home by the guard and finally returned to VA officials, who declared the events a security breach.

In the other incident, a VA employee printed out Social Security numbers and other personal information on 180 veterans and took the papers home, where he typed the information into a Microsoft Word file on his home computer. When he tried to send the file to his work account via e-mail, VA's system flagged the message, resulting in discovery of the breach.


Related stories:

VA gets visibility with cybersecurity tool

Personal data of reservists, veterans at risk in recent thefts


All three employees, including the security guard, had received mandatory training in proper security and privacy protocols, which prohibit use of unauthorized devices at work and printing and taking personal data home, Baker said in a conference call with reporters Nov. 17. The workers have been counseled about the violations, although Baker declined to say whether specific disciplinary actions had been taken.

VA has 300,000 employees so those types of data breaches are nearly impossible to prevent, Baker said. But they are becoming easier to detect with the help of recently installed software that gives an overview of devices linked to the department’s network.

“By 2011, we will have visibility to every device,” he added.

All the veterans whose data was affected are being notified and offered credit monitoring services as a preventive measure against identity theft, he said.

Although the agency’s IT systems were working properly in both instances, worker error was the cause of the breaches. “I cannot count all the things that went wrong” in the two breaches, Baker said.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.