Recent breach shines light on need for contractor oversight

Recent data breaches have accelerated agency efforts to secure their internal systems. The next cybersecurity frontier is ensuring contractors keep government data safe.

The Veterans Affairs Department found this out the hard way last week when Unisys Corp., working as a subcontractor, had a desktop computer containing sensitive personal information go missing from the company's offices in Reston, Va.

The missing PC represents the second VA data breach in three months.

The data breach affects up to 38,000 veterans in the Pittsburgh and Philadelphia areas. The desktop computer contained billing records with information about veterans who sought treatment at two VA medical centers in Philadelphia and Pittsburgh. Unisys assisted in insurance collections for the centers.

Information on the computer includes names, addresses, Social Security numbers and dates of birth. It does not include personal financial information.

Unisys had observed security controls, but there was no requirement to encrypt the data, said Unisys spokeswoman Lisa Meyer.

'The building and floor where the computer was located require security protocols for physical access. Log-in and password protocols also were required to access the data, which were stored in a database on the computer,' she said.

With IT theft becoming so prevalent, agencies should encrypt either the data or the hardware, said Alan Paller, research director at the Sans Institute of Bethesda, Md.

Hard drive-makers recently made available full disk encryption for computers. The breakthrough technology encrypts all data from the disk controller through a software key that resides on a portion of the disk that only the user can access.

'Full disk encryption means that, if you steal my computer, it is highly unlikely that you can read my data,' he said. Encryption of data, however, is 'absolutely essential in mobile computing,' Paller said.

VA has started notifying affected veterans, while Unisys will provide them credit monitoring for one year, Meyer said. 'The investigation continues, including exhaustive review of video tapes and other pertinent logs. No one has been ruled in or out.'

VA's inspector general, the FBI and local law enforcement are investigating the incident, said VA secretary James Nicholson last week.

Unisys notified VA Aug. 3 that the computer was missing. VA immediately dispatched a team, including Robert Howard, supervisor of VA's Office of Information and Technology, to Unisys to assist in the search for the missing computer and to help determine the precise nature of the information it may have contained.

VA personnel also took immediate steps to notify senior VA leadership including Nicholson and deputy secretary Gordon Mansfield, appropriate congressional offices and committees, VA's Office of the Inspector General and other law enforcement authorities, including the FBI and the Homeland Security Department's Computer Emergency Response Team.

The latest data breach follows another that occurred in May, when thieves stole from the home of a VA employee a laptop and hard drive.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above