The trove of sensitive government information should not have been taken home in the first place. Once it had been stolen, however, the federal investigation bordered on the farcical.
Backstabbing, rear-covering, interoffice bickering, and a general lack of urgency throughout the Department of Veterans Affairs made the whole situation worse. Lots worse.
These are among the conclusions in an official report on the theft in May of personal data for more than 26 million US veterans and active duty and reserve military personnel. Word of the theft caused a nationwide uproar.
The names, dates of birth, Social Security numbers, and other pieces of personal identity data were missing for nearly two months, during which time it was feared that millions of former and current military members could fall victim to criminal identity theft, fraud, or other woes.
The report by George J. Opfer, the VA’s inspector general, urged disciplinary action be taken against the persons who failed to take appropriate action and that the VA establish clearer policies for protecting information, among other things.
In general, the report is unsparing in its inside account of bureaucracy at its worst.
“At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating, or notifying higher level officials of the data loss reacted with indifference and little sense of urgency or responsibility,” concludes the report.
A “Fascination Project”
The VA’s sorry laptop scandal begins with a VA employee’s “fascination project”—meaning one in which the employee was personally interested.
The employee goes unnamed in the IG report, but he was, evidently, well regarded by peers and bosses. Managers described him as someone who put in long hours and produced meticulous work.
His job featured designing and programming VA information systems and databases, so this employee had easy access to the electronically stored records of tens of millions of veterans. The employee was also supposed to figure out ways to improve VA data and data-handling methods—and to do all of this while working relatively independently.
Then, on May 3, burglars struck the Maryland home of this technology specialist. The employee’s wife discovered the crime at about 3 p.m. and reported the break-in to the local police. The employee himself found out about the robbery when he returned from work that afternoon.
The key items taken in the robbery were a personal laptop computer and an external hard drive, which had been stored in different places in the house. When the employee found this out, he immediately notified his superiors and the VA Office of Security and Law Enforcement that the stolen equipment contained sensitive VA data.
Much of the data on the hard drive was for his personal “fascination project,” the employee later told IG investigators. The National Survey of Veterans, a 2001 VA effort that collected a wide variety of social and health information on former members of the armed services, had been criticized by some experts as inaccurate, he said. So the employee had taken a chunk of this massive database home, to verify parts of the survey on his own time.
For instance, he was using an on-line reverse telephone directory to see if names, addresses, and phone numbers of thousands of vets in the NSV survey matched up to those in the VA database.
This sort of cross-checking took hours, and he really could not justify doing it at the office, the employee told investigators. “He was willing to invest his own time to see if he could make progress in identifying the veterans,” says the IG report.
The stolen computer equipment also contained some information on a second project, in which the employee was using various government databases to identify veterans who might have been exposed to mustard gas.
The employee had been taking sensitive VA data home for years. He had never asked anyone in the bureaucracy for permission to do so, and no one knew he was doing it, reported the IG study.
“Extremely Poor Judgment”
The IG report concludes that the employee not only lacked permission but he also had no need to take the data home and subsequently failed to properly safeguard it.
“The employee used extremely poor judgment when he decided to take personal information pertaining to millions of veterans out of the office and store it in his house without password protecting and encrypting the data,” says the IG report.
The poor decision-making did not end there. VA security personnel, alerted to the theft, pursued the case with all the energy of a hound dog asleep in the sun of an August afternoon.
It was not until May 5—two days after the theft was discovered—that an information security officer interviewed the employee to determine what might have been lost. The term “interview” may be an overstatement, considering that their face-to-face meeting lasted about three minutes.
According to this security officer, the employee started going off in so many directions that the investigating officer just could not take good notes. So he told the employee to write down what had happened and send it to him.
The written account arrived that afternoon. It talked about database extracts that might have been stolen, but did not mention the number of files that were possibly compromised, or otherwise convey the magnitude of the incident.
Using this slight information as his source material, the security officer wrote up a “White Paper on Lost Data” that he e-mailed to the employee’s superiors, Michael H. McLendon, deputy assistant secretary for policy, and Dennis Duffy, acting assistant secretary for policy, planning, and preparedness.
These men later told the inspector general’s office that they were relying on the information security officer, a GS-13 civil servant, to make sure that law enforcement had all the information it needed to pursue the case.
Roles and Missions
The information security officer had a somewhat different view of his responsibilities. “I’m not an investigator,” he later told the IG. “I’m a computer tech guy that has a job.”
VA’s response to the data theft was further slowed by Washington-style office infighting.
McLendon, the VA policy official, had actually learned about the incident on the day it occurred, when the employee, obviously upset, called McLendon with the police still at his house. Yet McLendon initially did not tell his boss, Duffy, what had happened.
McLendon was a political appointee and thought, for some reason, that he reported directly to the Secretary of Veterans Affairs, R. James Nicholson. He apparently did not believe that the “careerist” Duffy, a civil servant, should supervise him.
So, the judgment of the two men at the center of the VA’s handling of the incident was affected by their long-standing and personal feud.
“McLendon characterized [the office] as one of the most dysfunctional organizations in VA and [said] that it was one of the most hostile work environments ‘he ever set foot in,’?” states the IG report.
Duffy did not learn of the incident until two days after it happened—and only then because of what he described as a “casual hallway meeting” with the information security officer working on the case.
Not that he moved with much urgency after he did hear about it. Duffy did not notify higher officials, such as the VA chief of staff, Thomas G. Bowman, about the scope of the problem, informing him that the missing components contained names and other personal identification.
Asked why he hadn’t sounded an alarm, Duffy said that he knows how VA officials operate. “They do not do crisis management,” he claimed.
In hindsight, Duffy told an interviewer from the IG office, he could see that his biggest mistake was that he “failed to recognize the magnitude of the whole thing.”
A Systemic Lack of Urgency
In that failure, he was not alone. Over and over, the IG report uses the same phrase to describe the response to this incident, even for high-level officials: “lack of urgency.”
Six days after the burglary, Duffy told Chief of Staff Bowman about the theft and possible loss of veterans’ personal data. The next day, Duffy provided him with the cursory white paper.
Bowman’s first action was to forward all the information he had to the general counsel’s office. He wanted to know VA’s legal responsibility to inform veterans of the theft. Then he waited—for six days.
Bowman got a phone call from Opfer, the IG, on May 16. The IG’s office had determined the scope of the problem independently, by interviewing the employee. In this discussion with the IG, Bowman acknowledged that he knew about the data theft, but added that he was not really aware of how big it might be. He estimated that hundreds of thousands of records could be involved.
Hundreds of thousands? Opfer told Bowman that the names, dates of birth, Social Security numbers, and other pieces of personal identity data for as many as 26 million veterans might have been stolen.
The IG informed Bowman that the VA Secretary, Nicholson, needed to get a briefing on this issue. Shortly thereafter, Nicholson finally heard the bad news from his own staff, learning just how widespread and politically explosive the loss of data could be. By this point, almost two weeks had passed since the theft.
Highlighting the multilevel negligence is this fact: The IG office discovered the magnitude of the theft, when so many others had not, by simply asking the employee who had lost the data.
After the brief chat with the information security officer, the employee hadn’t been contacted by anyone from the VA for more details on what had happened. The inspector general was able to determine the scope of possible loss in one interview with the man on May 15.
“It is unexplainable as to why the employee who reported the stolen data was never consulted by anyone in the management chain of command except the GS-13” security officer, concludes the IG report.
The VA theft represented one of the largest breaches of security of personal data in the nation’s history. Fortunately, on June 28 law enforcement officials recovered the stolen laptop and external hard drive intact.
After examining the equipment in minute detail, both the FBI and the VA’s inspector general concluded that they were “highly confident” that the data files were not compromised by whoever stole them.
McLendon resigned his VA post in June, according to news reports. Duffy has retired. The employee who took the data home in the first place was fired.
According to the IG report, the VA needs to change its policies no less than its people. Rules governing removal of protected information from the office, and for the storing of sensitive data on personal computer equipment, are a “patchwork” of regulations that do not provide adequate protection.
“More needs to be done to ensure protected information is adequately safeguarded,” says the inspector general’s report.