Lawmakers: Two other VA data breaches

U.S. lawmakers said Thursday they have learned of two more data breaches at the U.S. Department of Veterans Affairs (VA) even as the agency announced that law enforcement agencies had recovered stolen computer hardware containing the personal information of millions of U.S. military veterans.

The House of Representatives Veterans Affairs Committee has learned of a May 5 incident in which a data tape disappeared from a VA facility in Indianapolis, Indiana, and a 2005 incident in which a VA laptop was stored in the trunk of a car that was stolen in Minneapolis, Minnesota, said Representative Steve Buyer, chairman of the committee.

Also on Thursday, Pedro Cadenas Jr., the VA's chief information security officer (CISO), submitted his resignation. Cadenas, at the VA since 2002, had also served as acting deputy chief information officer (CIO) at the VA in recent months.

Before the Thursday morning hearing, VA Secretary R. James Nicholson said law enforcement agencies had recovered a laptop and hard drive stolen from a VA analyst's home in early May. The Federal Bureau of Investigation, after conducting forensics on the hardware, determined the personal data of 26.5 million veterans and their spouses was not accessed by the thieves, Nicholson later said.

Buyer, an Indiana Republican, said he was surprised at Cadenas' resignation, which comes on the heels of former VA CIO Robert McFarland's resignation earlier this year. Nicholson said lawmakers should expect more resignations as he tries to overhaul the IT security practices at the agency.

But the VA leadership has generally dismissed concerns raised by past CIOs and CISOs that the agency's decentralized IT management structure hurts IT security, Buyer said. "Maybe the wrong people are leaving," he said.

However, Buyer and other committee members praised Nicholson for a plan that includes an overhaul of the agency's IT department and a memo giving the VA CIO new authority. Nicholson's response Thursday was a big change from the slow reaction following the data theft, Buyer said. "Mr. Secretary, you have stepped forward," Buyer added. "You're off your heels and on your toes."

Nicholson and other VA officials detailed the two other data breaches to the committee. The Indiana data tape contained information on more than 16,500 legal cases involving U.S. veterans, VA officials told committee members during a hearing on data security. The information could include veterans' Social Security numbers, dates of birth and legal documents, VA officials said.

In the Minnesota case, the laptop contained the personal information of 66 people, and two people later reported identity fraud problems, VA officials said.

Buyer said the Indiana case concerned him because some of the facts paralleled the stolen laptop incident.

Nicholson was told by assistants of the stolen laptop nearly two weeks after it happened, and he was told about the May 5 data tape incident on May 23 or 24, he said.

Buyer and Representative Bob Filner, a California Democrat, both questioned Nicholson's decision to attempt to fire the analyst whose house was broken into. Filner brought documents to the committee showing the analyst had authorization to use VA software at home and to take laptops home. The analyst is facing a hearing to determine if the VA can fire him.

Filner questioned Nicholson's statements suggesting the analyst was guilty of gross negligence. "It seems to me that the gross negligence is in the policies," he said.