[Dataloss] follow-up: Employee tried to mask extent of latest VA data breach

[security curmudgeon]

---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.govexec.com/story_page.cfm?articleid=37403

By Daniel Pulliam
GovExec.com
July 9, 2007

An information technology specialist at the Veterans Affairs Department 
misled investigators in an attempt to cover up the extent of a data breach 
early this year that jeopardized personal information on more than a 
million people, according to a recent audit report.

In an interview with auditors, the specialist gave inaccurate information 
about the Jan. 22 loss of an external computer hard drive from VA's 
Birmingham, Ala., research facility, the report from the department's 
inspector general stated. The information ended up in a press release 
about the incident, the investigators found.

The specialist also encrypted and deleted multiple files from his computer 
shortly after he reported the data missing, making it more difficult to 
determine what was stored on his desktop, the IG said. He initially denied 
this when confronted by investigators, the report said. But an IG computer 
forensic analysis prompted him to admit to taking actions to hide the 
extent of the missing data.

As of February, the IT specialist, who was not named in the report, had 
been placed on administrative leave pending the outcome of the 
investigation. The VA did not respond to requests for an update Monday on 
the specialist's employment status.

Michael Kussman, VA's undersecretary for health, concurred with the IG's 
recommendation that "appropriate administrative action [be] taken against 
the IT specialist for his inappropriate actions during the course of the 
investigation and for failing to properly safeguard personally 
identifiable information on his missing external hard drive." Kussman said 
the "target completion" date for this was Oct. 1, following a review of 
the evidence.

[..]