News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Martin McKeay's picture
Martin McKeay

Security Matters

More posts | Read bio

July 17, 2007 - 11:24 A.M.

VA employee tried to hide the damage

According to a report by the Veterans Affair Department, an employee of the organization attempted to minimize the apparent impact of a breach in January.  The IT specialist deleted and encrypted files on his system to minimize the apparent impact of the theft of an external hard drive, though he later admitted to the changes.  The use of an external drive was against policy and the files were likely deleted to hide the extent of the data that was stolen.  The specialist remains unnamed but has been put on administrative leave pending investigation.

Corporate policies are absolutely necessary, but need to be backed up with technical safeguards to enforce them and prevent situations like this from happening.  The specialist obviously knew that what he was doing was against policy, otherwise he never would have tried to cover up the extent of the damage.  Was it more important to cover his tracks than to reveal that a quarter of a million records had been stolen along with the hard drive?  The policy needed to have been followed up with a technical safeguard to make sure that external hard drives can't be used or make sure that sensitive information couldn't be downloaded to a local, easily stolen system. 

I'm getting tired of receiving letters from the VA concerning new ways in which my personal information has been compromised.  I know that the Veterans Affairs Department has taken steps to limit the dissemination of personally identifiable information, but it obviously hasn't been enough.  This event may end up costing the department nearly $20 million dollars if their own estimate is correct, an amount I would rather have seen applied to preventative measures than clean up. 

If you've got the time, take a glance at the Inspector General's report on this incident.  There are things the Veterans Affair Department is doing right.  Unluckily, this is one of the classical problems with security: you can do your best to secure everything, but it only takes one chink in the armor to compromise everything.  And when the people who're trying to find those chinks are inside your network, it makes it all that much harder to protect yourself.  And the impact of a compromise all that much more painful.

Reply
The content of this field is kept private and will not be shown publicly.
* We require you to preview your comment before posting to prevent comment spam. Please read our comments policy before posting.

Related Posts

Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM
CIDRAP Summit represents last chance to get H1N1-ready
No easy fix for Word legal woes
Quitter! White House cyber-security czar Melissa Hathaway goes buh-bye

Today's Top Stories

IE9 to tap hardware to boost performance
Free Web apps to help organize your holidays
Report: Microsoft may pay News Corp. to delist from Google
KT to sell iPhone in South Korea
New attack fells Internet Explorer
Google's Chrome OS hits BitTorrent
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.