Investigators looking into the theft of US Department for Veterans Affairs data on 26.5 million former soldiers have slammed the department’s “persistent, longstanding” information security weaknesses.
The criticism came at US Congress hearings following last month’s theft of VA department records – including the names, social security numbers and dates of birth of 26.5 million veterans – from the home of one of the department’s data analysts.
The Government Accountability Office and Veterans Affairs inspector general told how an investigation into the scandal had revealed warnings that were ignored, weak management and lax rules.
The VA department had routinely failed to control and monitor staff access to confidential data, did not operate "need-to-know" restrictions and often failed to close the accounts of staff who had left quickly enough, the investigators said. Nor did the department have a clear chain of command for enforcing security measures.
Linda Koontz, a director on information management at GAO, told a congress committee, “Much work remains to be done. Only through strong leadership, sustained management commitment and effort, disciplined processes, and consistent oversight can VA address its persistent, long-standing control weaknesses.”
The VA’s chief information officer lacked power to enforce security, and the department had a culture that was resistant to change, she warned.