House Veterans Committee adds latest VA cyber breach to ongoing investigations

Monday - 1/27/2014, 3:57am EST

The House Veterans Affairs Committee continues to press the Veterans Affairs Department over its struggle to secure its systems and the data of tens of millions of veterans. The latest episode comes just a week after the Veterans Affairs muffed a software update to its eBenefits system and caused the exposure of the data of more than 5,000 veterans.

Rep. Jeff Miller (R-Fla.), chairman of the committee, wrote to VA Secretary Eric Shinseki Friday asking for answers to 18 questions about the latest cyber breach by Jan. 31.

"It has come to my attention that thousands of veterans have had their personally identifiable information, including medical and financial information, divulged online through the eBenefits portal," Miller wrote in the letter. "Unfortunately, these types of breaches continue to occur on a regular basis at the VA, despite multiple assurances that its systems are secure."

VA notified the committee and others last week that it had exposed veterans' personal information on Jan. 15.

VA reported that about 20 veterans called the helpdesk to report they logged onto eBenefits and saw another veteran's personal data.

The agency said about 10,000 veterans logged onto the portal on Jan. 15.

A VA spokeswoman said VA initially is estimating up to 5,351 of eBenefits' 3.38 million users may have been impacted by the software defect; however, a final determination on the number affected will be issued by the Data Breach Core Team when its review is completed.

"The Department of Veterans Affairs takes seriously our obligation to properly safeguard personal information," the spokeswoman said. "VA took immediate action upon discovering the software defect and shut the eBenefits system down in order to limit any problems and prevent further exposure. VA brought eBenefits back online Sunday, after a period of down time. VA conducted a full review of the software issue and reinforced its security posture, after determining that the defect had been remedied and the portal was functioning properly. All eBenefits functionality is now available to use. We offer our sincere apologies to any service member, veteran or family member impacted by the software defect and the downtime."

But Miller said eBenefits and other VA systems "continue to be afflicted by persistent information security weaknesses," and therefore wants to know more about what VA is doing to protect veterans' data and its systems.

This latest request for information becomes the 111th from the committee that remains outstanding since June 2012.

"The leisurely pace with which VA is returning requests — and in some cases not returning them — is a major impediment to the basic oversight responsibilities of the committee," a committee spokesman said. "VA's unanswered questions have created mounting frustration for committee members, and prompted Chairman Miller to take the unprecedented step of writing weekly letters to VA Secretary Eric Shinseki, listing the number of outstanding information requests and asking for 'accurate information in satisfaction of these requests.'"

In the Jan. 24 request to VA, among the questions Miller wants answered are:

  • Please explain in detail how VA identified and addressed the eBenefits "software defect." In accordance with Office of Management and Budget memorandum 07-16, did VA implement their rules of behavior and enforce their table of penalties to anyone for failing to follow the rules for safeguarding PII?

  • In the future, how does VA expect to prevent the same "software defect" from occurring again?

  • How did VA determine that the eBenefits security and privacy breach was the result of a "software defect" and not a data breach through a system security vulnerability?

  • Of the 3.4 million veterans enrolled, how many will be offered credit monitoring services as described with the Veterans Benefits Health Care and Information Technology Act of 2006?

  • In accordance with the Veterans Benefits Health Care and Information Technology Act of 2006, has the Secretary appointed a non-VA entity or the VA's inspector general to conduct a risk analysis on the possible eBenefits privacy and security breach?

The latest breach adds to a growing list of problems in how VA goes about securing its systems. In 2013, VA failed for the 15th year in a row its consolidated financial statement audit with regard to security controls.

Additionally, the latest breach builds on a report from December 2012 showing veterans are at a higher risk of identity theft than the average citizen. Federal News Radio obtained a December 2012 report by ID Analytics showing veterans near military bases in Alaska, New York, Colorado, Ohio and Kentucky have a higher risk ratio for identity theft than non-veterans in the same areas. ID Analytics focuses on consumer risk management through the use of analytics and real-time insight into consumer behavior.

RELATED STORIES:

VA cyber saga continues as audit shows continued holes in network security

VA cyber efforts in the hot seat

Exclusive: Serious doubts remain about VA's ability to secure veterans data