Editorial: Security lags at VA

Monday, Sept. 24, 2007 | 7:16 a.m.

The theft of a laptop computer and external hard drive from a Maryland home in May 2006 became what The Washington Post called the "largest information security breach in government history."

Lost were the names, birth dates and Social Security numbers of more than 24 million veterans and as many as 2.2 million active-duty military personnel.

An employee of the Veterans Affairs Department had taken the equipment home with him. U.S. Park Police recovered it about two months later. Luckily, no names had been accessed.

Although the burglary took place May 3, Veterans Affairs Secretary Jim Nicholson - who is stepping down Oct. 1 - was not informed of it until May 16.

Other facts about lax security at the VA were also revealed. The Post noted that inspectors, during annual computer-security reviews, had consistently ranked the VA near the bottom among federal agencies.

Given the massive scale of the incident, the VA was expected to follow through quickly on Nicholson's pledge to make the department the "gold standard" for information security.

A report last week by the Government Accountability Office gave credit to the VA for developing a plan to correct security weaknesses, but stated that the department has a long way to go.

Less than a month after the theft, the VA official in charge of computer security resigned - and has not yet been replaced, the GAO said. This has left no one in charge to oversee the reorganization of security procedures.

The report said that responsibility is being shared by several offices and that there is no plan for how they should work together.

Also, according to the report, the VA's computer files are not yet fully secure. The department has not worked to ensure that only authorized changes and updates to its computer system are made.

The GAO report concluded that "unnecessary risk" to computer security still exists at the VA. In our view, that's not exactly the gold standard.