Veteran’s Administration loses 26.5 million records

A recent report from the Veteran’s Administration (VA) indicates that a data analyst illegally removed the personal records of over 26.5 million former service members from the VA, which was subsequently stolen from the analyst’s residence.  Fortunately, the records did not contain any medical or financial information on every service member that has served this country’s armed forces since 1975.  However, the names, dates of birth, and Social Security Numbers were among the information that has been stolen.  The authorities do not believe that the information was specifically targeted, as there has been a string of burglaries in the analyst’s area of residence.  They also believe that the thief(s) may not even know that they have this particular information.  How the data analyst got the data out of the building is unclear, whether it was on a laptop, USB drive, CD/DVD or some other type of destructive, transportable media.  However, the incident does pose several questions, for me, about the organization’s Information Security policies and procedures.  Especially, if you consider that my name, date of birth, and Social Security Number is included in the 26.5 million other veterans that have been affected.

My first question about this incident is, naturally, what were the motivating factors that allowed this series of events to take place?  If you recall from my previous blog entry, my research for the State of the Threat presentation indicated that there is a growing market for our personal information to be used in identity theft schemes.  With organized crime groups doing all they can to get the SSN’s of innocent people to be used to steal their identities for monetary gains, I have to wonder (pure speculation!) if there was some sort of cooperation between the data analyst and an external entity to have this information removed from the Veteran’s Administration.  With all the talk about the illegal immigration issue, we all know that many of those immigrants are using stolen identities in order to be able to work.  There is a debate going on in the Senate that may end up allowing those same illegal immigrants to keep the Social Security benefits that they paid into by using the stolen identities.  Could the underground market for names and SSN’s (and the finders fees for those numbers) be a motivating factor?

More imporant than the motivators is what security policies were in place that were supposed to safeguard against this type of thing occurring?  By now, most companies or agencies are being regulated by some sort of legistlation, whether it be GLBA, HIPPA, SOX, or NCUA 748, that mandates certain controls be implemented to prevent just this very thing from happening.  Were these safeguards implemented at the Veteran’s Administration?  If they were implemented, were they being followed?  Was there an awareness program in place to inform the employees of their roles and responsibilities in the organization’s Information Security posture?  Has a third party ever performed a risk assessment of the VA’s security posture, to include security policies and business processes?  What was the VA’s policy about USB Drives or other transportable media?  Is there unmitigated access to this type of data, once access is gained to the internal network?

For years, security professionals have been screaming, at the top of their lungs, that the user will always be the weakest link in an organization’s security posture.  Could this incident have been avoided with a comprehensive, standards based Risk Assessment and follow on Awareness Program?  Or, will the theoretical disgruntled employee (I don’t know if that’s the case in this incident) always be the worst fear of any organization?

This incident, or one of the dozen or so incidents that have been reported from some of the largest companies in the world, should put the need for a comprehensive, repeatable, and standards-based, third party risk assessment at the top of the list on every security professional’s mind.  If the thought of being the company or organization that is responsible for the identity theft and ruined credit of 1 person to millions of people doesn’t get the job done, maybe the fines and lawsuits that could ensue if an incident of this nature occurs at your organization, will be the motivator that enables your organization to realize that information security is not just a new buzz word.  It’s a reality….and a necessity.

As for me, I can be found at the nearest credit bureau trying to order my credit report.  OUT OF MY POCKET….NO LESS!!!

This entry was posted in General InfoSec by Troy Vennon. Bookmark the permalink.

About Troy Vennon

I recently separated from the U.S. Marine Corps after 8 years. I spent the first 3 1/2 years building classified and unclassified networks all over the world. There was a natural progression from building those networks to securing those networks. My last 4 1/2 years in the Marine Corps took me to Quantico, Va where I was stationed with the Marine Corps Network Operations and Security Command (MCNOSC). While with the MCNOSC, I was a member of the Security section, which was responsible for the installation and daily maintainance of the 34 Points-of-Presence that made up the Marine Corps 270,000+ user network. After a period of time with Security, I moved over to the Marine Corps Computer Emergency Response Team (MARCERT). There I was the Staff Non-Commissioned Officer of the MARCERT, which was responsible for the 24x7 monitoring of network traffic across the Marine Corps. Specifically, we monitored network traffic for malicious intent and investigated any network incidents as they occurred. While with the MCNOSC, I attained my CISSP, CCNA, and OPST (OSSTMM Professional Security Tester). I have been with MicroSolved for the past 4 months as the Senior Security Engineer, Technical Lead, and Project Manager.

Leave a Reply