Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
House Veterans Committee adds latest VA cyber breach to ongoing investigations
Monday - 1/27/2014, 3:57am EST
Rep. Jeff Miller (R-Fla.), chairman of the committee, wrote to VA Secretary Eric Shinseki Friday asking for answers to 18 questions about the latest cyber breach by Jan. 31.
"It has come to my attention that thousands of veterans have had their personally identifiable information, including medical and financial information, divulged online through the eBenefits portal," Miller wrote in the letter. "Unfortunately, these types of breaches continue to occur on a regular basis at the VA, despite multiple assurances that its systems are secure."
VA notified the committee and others last week that it had exposed veterans' personal information on Jan. 15.
VA reported that about 20 veterans called the helpdesk to report they logged onto eBenefits and saw another veteran's personal data.
The agency said about 10,000 veterans logged onto the portal on Jan. 15.
A VA spokeswoman said VA initially is estimating up to 5,351 of eBenefits' 3.38 million users may have been impacted by the software defect; however, a final determination on the number affected will be issued by the Data Breach Core Team when its review is completed.
"The Department of Veterans Affairs takes seriously our obligation to properly safeguard personal information," the spokeswoman said. "VA took immediate action upon discovering the software defect and shut the eBenefits system down in order to limit any problems and prevent further exposure. VA brought eBenefits back online Sunday, after a period of down time. VA conducted a full review of the software issue and reinforced its security posture, after determining that the defect had been remedied and the portal was functioning properly. All eBenefits functionality is now available to use. We offer our sincere apologies to any service member, veteran or family member impacted by the software defect and the downtime."
But Miller said eBenefits and other VA systems "continue to be afflicted by persistent information security weaknesses," and therefore wants to know more about what VA is doing to protect veterans' data and its systems.
This latest request for information becomes the 111th from the committee that remains outstanding since June 2012.
"The leisurely pace with which VA is returning requests — and in some cases not returning them — is a major impediment to the basic oversight responsibilities of the committee," a committee spokesman said. "VA's unanswered questions have created mounting frustration for committee members, and prompted Chairman Miller to take the unprecedented step of writing weekly letters to VA Secretary Eric Shinseki, listing the number of outstanding information requests and asking for 'accurate information in satisfaction of these requests.'"
In the Jan. 24 request to VA, among the questions Miller wants answered are:
- Please explain in detail how VA identified and addressed the eBenefits
"software defect." In accordance with Office of Management and Budget memorandum
07-16, did VA implement their rules of behavior and enforce their table of
penalties to anyone for failing to follow the rules for safeguarding PII?
- In the future, how does VA expect to prevent the same "software defect" from
- How did VA determine that the eBenefits security and privacy breach was the
result of a "software defect" and not a data breach through a system security
- Of the 3.4 million veterans enrolled, how many will be offered credit
monitoring services as described with the Veterans Benefits Health Care and
Information Technology Act of 2006?
- In accordance with the Veterans Benefits Health Care and Information Technology Act of 2006, has the Secretary appointed a non-VA entity or the VA's inspector general to conduct a risk analysis on the possible eBenefits privacy and security breach?
The latest breach adds to a growing list of problems in how VA goes about securing its systems. In 2013, VA failed for the 15th year in a row its consolidated financial statement audit with regard to security controls.
Additionally, the latest breach builds on a report from December 2012 showing veterans are at a higher risk of identity theft than the average citizen. Federal News Radio obtained a December 2012 report by ID Analytics showing veterans near military bases in Alaska, New York, Colorado, Ohio and Kentucky have a higher risk ratio for identity theft than non-veterans in the same areas. ID Analytics focuses on consumer risk management through the use of analytics and real-time insight into consumer behavior.