VA data still at risk, investigators say

WASHINGTON — Sensitive information on millions of U.S. military personnel and veterans is still at grave risk because of security controls that have not yet been fixed, government investigators said Wednesday.

Meanwhile, Senate Democrats stepped up their criticism of the Veteran Affairs Department's handling of the May 3 burglary of personal data, calling for an independent investigation into its delayed response.

Sen. Hillary Clinton, D-N.Y., said the administration's "incompetence has gone digital, and we are paying the price."

In testimony to Congress, the Government Accountability Office and the VA inspector general detailed ignored warnings, weak management and lax rules in their review of information security after the theft of 26.5 million military personnel's private data last month.

They found that the VA routinely failed to control and monitor employee access to private information, did not restrict users to "need-to-know" data, and often waited too long to terminate accounts when an employee quit or was fired.

The investigators also said that the VA lacked a clear chain of command in enforcing security, and that it needs stronger leadership from VA Secretary Jim Nicholson to force reform after five years of repeated warnings about security.

Up to now, VA officials have not been held accountable for lax security, and "there need to be consequences," the GAO said.

Lawmakers from both parties expressed dismay.

"This was a disaster waiting to happen," said Rep. Bob Filner, D-Calif., the acting top Democrat on the House panel. "Between all the lines, there was a failure of management, at the very top."

Added Rep. Michael Bilirakis, R-Fla.: "In seeing where the buck stops, really it stops with the head of the VA."

Responding to the charges, VA spokesman Matt Burns said Nicholson has worked to centralize control over information security since becoming VA secretary in 2005.

"The secretary is working diligently to ensure that VA employees are adequately trained in IT security, and that the department continues to aggressively implement stronger policies and procedures to prevent such an unfortunate incident from happening again," Burns said.

Congress is trying to determine whether the VA took proper steps to guard against the unauthorized disclosure of personal information in what has become one of the nation's largest security breaches. The May 3 theft at a VA data analyst's home involved names, birth dates and Social Security numbers.

The agency has acknowledged that the longtime midlevel employee — who has since been fired — improperly took the information home on an unsecured personal laptop for three years, apparently without his supervisor's knowledge.