Tuesday, July 04, 2006

Whew. At least for now...

We got letters in the mail a few weeks ago regarding the theft of a laptop containing information about veterans -- the VA wanted to warn us to watch out for identify theft and any odd behavior in our credit history, etc. They weren't clear what data was actually missing (although it was enough to warrant a bit of panic about identify theft), but they were investigating the incident.

We keep pretty close track of our finances and our credit history, so I'm confident we would have found anything amiss pretty quickly.

I am, however, quite pleased to note that the laptop and missing data have been recovered. The FBI seems to think taht the data had not been accessed, which makes about 26 million people breath a sigh of relief (although I don't know if I'd really relax much). An employee had the data at home on a laptop, which raise some serious issues about security. But -- the interesting part was this:
At the time, VA officials were quick to blame the data analyst involved for violating agency policy in taking the laptop home. However, it has since emerged the worker, who was placed on administrative leave during the course of an inquiry, had written permission to take the sensitive data away from VA offices in order to work from home.
It still should have been ecrypted, and stored only on the servers in the office behind firewalls -- and frankly, the employee should have been accessing them remotely using one of the many VPN protocols. There are a lot of holes in this process and no one seems to have thought much about security.


The Tiger said...

Question -- if the data isn't supposed to be portable, why is it ON A LAPTOP?????!?!?!?!?

I agree, there are any number of ways to secure this data using secure servers. My PhD data is better protected than that stuff!

The Tiger said...

A nice article which covers basically the same thing you did just hit the IHT:


The Tiger said...

Argh. The rest of the link is