There's No Security Like Reactive Security

from the a-little-late dept

Fri, Jun 9th 2006 10:19am — Carlo Longino

After a laptop with the personal information of millions of veterans and military personnel was stolen from a Department of Veterans Affairs employee, the agency's decided it would be a good idea to go ahead and recall all its laptops so their security software can be reviewed. The recall will be part of a "Security Awareness Week" announced by the department's secretary in the wake of the event, along with his call for strengthened federal penalties for individuals found to be negligent in their handling of personal information, adding that the department is in the process of firing the employee whose laptop was stolen from their home. While trying to make employees take more personal responsibility and making them realize they have a vital role in security would be beneficial, it seems a little misguided to make employees accept so much responsibility when their employers don't really have to worry about the repercussions of poor security. While the head of the VA's call for increased security and his intention to beef up are laudable, it's of little comfort to the 26.5 million people whose personal information was stolen. The guy calls this theft "the hundred-year storm" of data leaks, but the scale really isn't important, particularly to the people whose info gets lifted. It's almost as if he's saying if only 100 or 1,000 people's data were leaked, it wouldn't really matter, which is a completely irresponsible attitude -- or perhaps a lesson to thieves. Keep it small, and nobody will care. There have been enough previous data leaks that companies and government agencies should be well aware of the problem, and not waiting for it to break some random threshold before they decide to improve their security.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

15 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Some IT Bastard, 9 Jun 2006 @ 10:41am

Theft?
I think this employee discovered that they could make more money selling the information they were so cheaply paid to take care of.
[ link to this | view in thread ]
Nicholas G, 9 Jun 2006 @ 11:06am

slightly more then you think...
26.5 million veterans, and 2.2 million active duty... including those currently getting 7.62mm rounds and RPG's hurled at them.

How nice to have reactive security.
[ link to this | view in thread ]
drkkgt, 9 Jun 2006 @ 11:28am

as a vet myself
I think the management at the VA who were given the security report from the oversight commitee last year should also be fired and fined, along with any middle mangement who reviewed and did the same thing. This one employee, while screwing up big time, was still just following the lead of his bosses in not worrying about security and should be following them out the door via the Seargent Boot Express.
[ link to this | view in thread ]
Scott, 9 Jun 2006 @ 11:48am

Employee
The employee was not supposed to have that data in the first place, therefore firing the employee is perfectly justifiable.

Not saying the VA processes need work, just that "it seems a little misguided to make employees accept so much responsibility" is not fair in this context. If I am not supposed to have data and it is stolen that seriously compounds the first problem.
[ link to this | view in thread ]
Comboman, 9 Jun 2006 @ 11:49am

I have a briliant security idea!!
I have a briliant security idea, how about letting your employees have a home life instead of forcing them to take work home with them? Leave the computers locked up at work where it's nice a safe.
[ link to this | view in thread ]
Carlo, 9 Jun 2006 @ 12:02pm

Re: Employee
Scott, I agree that employees should absolutely be held responsible for stupid personal decisions -- I think you're talking what I said a little out of context. That whole thought was "it seems a little misguided to make employees accept so much responsibility when their employers don't really have to worry about the repercussions of poor security."

There's currently little incentive for businesses or governmental bodies to tighten up security, because the standard of what's responsible action is so low, and the punishment they receive should they leak data is nothing more than a slap on the wrist. Given that, I think that putting all of the onus on employees, instead of also forcing their employers to beef up policies and security measures, is a half-cocked solution.
[ link to this | view in thread ]
nb109, 9 Jun 2006 @ 12:12pm

Ugh...
I JUST got out of the Marine Corps a few months ago, so I'm assuming that my information was amoung the crap that was stolen. Does anyone know of a list I can check to see if I'm included in this nonsense?
[ link to this | view in thread ]
Anonymous Coward, 9 Jun 2006 @ 12:40pm

Re: Ugh...
"Does anyone know of a list I can check to see if I'm included in this nonsense?"
I'm afraid your best bet is to ask the VA directly. Although the position implied by their FAQs is "watch your credit report, and if your identity is ever stolen, then you'll know."
FAQ pages:
http://www.firstgov.gov/veteransinfo.shtml
http://www1.va.gov/opa/data/data.asp
[ link to this | view in thread ]
Petréa Mitchell, 9 Jun 2006 @ 12:43pm

Missing links
I notice that they say they're going to scrub all unauthorized data and software off the laptops, but there's nothing there about adding security measures to keep people from filling up their laptops with inappropriate data again....
[ link to this | view in thread ]
What a Crock of Poo, 9 Jun 2006 @ 2:08pm

The Va Really Is
I have two brothers, one who is still active duty US Army, the other who just got out of the Army after serving 2 tours in Iraq. They had no clue about this until I forwared this story to them. I wonder how many other soldiers who are laying their lives on the line are getting their IDs jacked while the VA twiddles their thumbs.
[ link to this | view in thread ]
STJ, 9 Jun 2006 @ 2:27pm

It's sad this keeps happening again and again, (IE citibank, sams club) yet there is no one wanting to change anything. The government needs to step in and say for every SSN you loose you will pay $1000. That should start them doing something productive
[ link to this | view in thread ]
Nicholas G, 10 Jun 2006 @ 1:13am

Identity Theft Responsibility
then again, if we [the voting population of america] placed the responsibility of preventing identity theft on the financial institutions (i.e. if you allow a thief to acquire a credit card on someone elses credit, you [the institution] are financialy responsible for repairing the damage) there would be little to no identy theft.
[ link to this | view in thread ]
Con Parant, 10 Jun 2006 @ 8:18am

VA employee clearances
I am even more surprised that the VA is just now considering an NACI/MBI background check a requirement for employees accessing sensitive data. Only an NACI/MBI? That is about as thorough as applying for a grocery store checkcard. Relative to trusting a low-paying worker, they should require a higher level of background checks for any employee handling sensitive or personal data.
[ link to this | view in thread ]
Ninja12, 19 Jun 2006 @ 7:59am

Re: as a vet myself
That is Right! Why fire just one employee? Sure, He was wrong and deserves the punishment YOUR leader is responsible for your ludicrous actions!

There needs to be a cleaning of the house for VA IT Department and get some people in there who know what they are doing! THIS PUNISHMENT WILL NOT STOP STUPIDITY!
[ link to this | view in thread ]
Ninja12, 19 Jun 2006 @ 9:29am

Get Real & Take Ownership People
The cost of encrypting the hard disk on the laptops the VA has, would have been much less than the current cost of trying to recover from this fiasco!

I am a reservist as well and I receive the notification letter from the regarding theft of the information and since I also work for a Bank as an Information Security Analyst, I hope that I have taken the corrective measures to protect myself from ID theft.

All I know is that there is no use in B*tching about this subject anymore, however I do not feel that punishing the ONE guy for his obviously stupid act is going to solve anything! This person was allowed to do what he did because of poor leadership and that leadership’s inability to understand information security as a serious matter. Nevertheless, as with most people I have met in the corporate world, there is nothing wrong with a poor information security policy until there is a major problem. It is just a matter of time before poor security measures are exploited or violated so instead of standing there waiting for that disaster to happen, get some proactive solutions in place. ING just learned that lesson as well with the theft of a laptop. Starts asking your bank and credit unions how safe their laptops are and be demanding about it, because it is so easy to steal information that it is not even funny.

I have found that if your job is office or business concern and not information technology related, your knowledge of data theft is going to be minimal, so in that situation the responsibility to make your data safe is totally up to your Information Technology department and information security policies. Read your companies Information Security Policies and obey them! They are there for a reason, to protect your customers, who just happen to be the reason you even got a job and get a paycheck!
[ link to this | view in thread ]