The Veterans Affairs Department had security directives that were routinely ignored by employees in a culture of security laxity, VA Secretary Jim Nicholson and other officials said, according to Federal Computer Week
While the employee who took home the data containing 26.5 million vets' SSNs and other data violated department policies, according to Nicholson, this was not an unusual occurence, VA Inspector General George Opfer found.
The employee apparently did not feel bound by the policy and had routinely worked on sensitive data at home during the past three years, said Opfer. None of the employee’s supervisors knew he had taken a file of 26.5 million records home. ... Opfer told the Senate panel that Federal Information Security Management Act reviews by his office have identified significant information security vulnerabilities at the VA since 2001.
He said the IG’s office has repeatedly warned of serious security problems caused by the VA’s lack of control and oversight of access to information systems, including poor monitoring of employee access to sensitive information. The situation placed sensitive veteran information at risk, Opfer said, “possibly without detection of inadvertent or deliberate misuse, fraudulent use, improper disclosure or destruction.”
Nicholson appears to have survived the ax that theatened his job when news of the breach first came out. While he told the panel he had no excuse for ignorning repeated warning by the IG, he is now requiring every employee to complete cybersecurity and information privacy courses by June 30, and they will need to annually sign a Privacy Act statement. The VA will also work to encrypt sensitive information and plans to have new guidelines by June to govern remote users’ access to data, Nicholson said. He did not provide any details.