Investigators looking into the theft of US Department
for Veterans Affairs data on 26.5 million former soldiers have
slammed the department’s “persistent, longstanding” information
security weaknesses.
The criticism came at US Congress hearings following last
month’s theft of VA department records – including the names,
social security numbers and dates of birth of 26.5 million veterans
– from the home of one of the department’s data analysts.
The Government Accountability Office and Veterans Affairs inspector
general told how an investigation into the scandal had revealed
warnings that were ignored, weak management and lax rules.
The VA department had routinely failed to control and monitor
staff access to confidential data, did not operate "need-to-know"
restrictions and often failed to close the accounts of staff who
had left quickly enough, the investigators said. Nor did the
department have a clear chain of command for enforcing security
measures.
Linda Koontz, a director on information management at GAO, told a
congress committee, “Much work remains to be done. Only through
strong leadership, sustained management commitment and effort,
disciplined processes, and consistent oversight can VA address its
persistent, long-standing control weaknesses.”
The VA’s chief information officer lacked power to enforce
security, and the department had a culture that was resistant to
change, she warned.