The Veterans Affair Breach – Anyone Can Be The Weakest Link
On May 3, 2006, a data analyst at Veterans Affairs had his computer equipment stolen from his home in Montgomery County, Maryland. The analyst had taken his laptop PC and external hard disk home without permission.
The hard disk contained unencrypted insurance claim data for 26.5 million active duty troops and veterans, leaving them open to potential identity theft and fraud. The sensitive information included names, Social Security numbers, dates of birth and disability ratings. The majority of data was tied to veterans and their spouses. 1.1 million active-duty personnel were affected, including 430,000 members of the National Guard and 645,000 members of the Reserves. Affected veterans were not told about the breach until 3 weeks later due to a series of internal delays of reporting.
Luckily, the FBI was able to recover the equipment, apprehended the thieves and certified that the data had been untouched. However the fact remains that this is a major blunder that compromised confidential information of many veterans.
- Data encryption to secure and protect information.
All sensitive information and data has to be encrypted on systems. Do not make it easy for hackers to obtain information.
- Stronger breach notification guidelines within agencies
There has to be a formal internal breach notification process and framework for notifying incident response teams and administrators of breaches so that action can be taken swiftly to mitigate the crisis.
- More attention to data retention, classification and minimization
There needs to be a proper assessment and review of how personally identifiable information is stored, accessed and protected. Firstly, organisations have to perform formal privacy impact assessments to understand how their agencies are collecting, using and protecting personal data. Following which, assessments to rate and prioritize these systems must be carried out. Lastly, appropriate controls should be applied based on the amount of personal data each system contains.
- Stronger remote access policies.
There is a need for better controls on agency data when accessed from remote locations by teleworkers. Implementing two-factor authentication to control remote access to agency networks and data from remote locations is critical. Remote users should also be asked to reauthenticate themselves after 30 minutes of inactivity. The focus should be on securing remote systems via the use of endpoint network admission control tools. Any system logging into a network has to have adequate antivirus and firewall protections, all the mandated configurations settings and be properly patched.
- Staff training and awareness – anyone can be the weakest link
Cyber awareness programs should be as comprehensive as possible and made available to staff at all levels. This is so that employees will become aware of even more issues than they are exposed to beyond department and levels and well equipped to prevent or deal with any potential cyber breach.
Being proactive is a must; an investment in organisation’s protection and employees’ awareness will prove to be more affordable than the subsequent financial losses due to a cyberattack.
- Financial losses
5 veteran groups filed a class-action lawsuit against the VA alleging invasion of privacy. The lawsuit sought $1000 in damages for violations of privacy for each military personnel affected. VA agreed to pay $20 million to veterans affected by the breach.
- Reputational damage, Overhaul of IT controls
The breach spread widespread concern over the perceived lack of information security controls at the agency. It prompted a sweeping overhaul of the agency’s IT organization including top-level personnel changes and a centralization of all IT development, operations and maintenance activities at the VA.
In November of 2007, the VA suffered a smaller breach, affecting 12,000, after 3 computers were stolen. They have suffered other data breaches, affecting up to 1.8 million, several times since 2006. The breaches have largely worsened over time, though they remain a smaller percentage of the millions of records VA possesses.
Enjoyed this article? Curious to find out how you can better protect your organisation, data systems and critical accounts in the event of a cyberattack? Contact us now for an in-depth consultation to obtain cyber security measures best tailored for your needs. CyberForSec® team will work with your employees, train them in cyber security awareness and guide them in adopting the appropriate cyber security skills in their work processes.