MOORE COUNTY, N.C.—The Veteran Affairs E-Benefits website was shut down temporarily last week after VA security employees detected a data breach in the site’s code.
Following a software update designed to improve the E-Benefits page, which is supported by both the VA and the Department of Defense, some Veterans and Service members who logged into the website Wednesday night reported that were able to look at other users’ personal and financial information.
Some users, such as Navy Veteran Sylvester Woodland of North Carolina, even report that they were able to access others’ information, including bank accounts, simply by refreshing the E-Benefits page.
The VA’s Data Breach Core Team (DBCT) responded by shutting down the website in an attempt to prevent any instances of data theft. The site has since been reactivated.
VA officials report that they currently suspect about 5,500 users were affected by the software glitch Wednesday night. A total of 3.38 million users are signed up with E-Benefits.
But this is not the first instance the VA has been compromised online.
In 2006, a Veteran Affairs employees’ laptop containing personal information on about 26 million Veterans and Service members was stolen. The VA ultimately paid $20 million as compensation for the breach, but the agency’s reputation was nonetheless tarnished.
A series of harsh reviews by the VA Office of Inspector General, not to mention public pressure, subsequently resulted in the creation of the DBCT in 2007, as well as an organizational transformation in how the VA dealt with web security.
These changes, however, did not produce positive change. In the summer of 2013, it was reported that at least eight nation-states, including Russia and China, were responsible for a data breach in which hackers infiltrated the VA website and stole information.
The U.S. government cannot know exactly what information was breached because the hackers encrypted the unencrypted VA data before exporting it elsewhere.
A subsequent audit of the VA Office of Inspector General revealed that one of the primary reasons for the frequent data breaches was the VA’s decentralized and complex organizational structure, which makes the implementation of agency-wide controls all but impossible.
Given last week’s hack, it is clear that the VA still has serious web security problems with which to contend.
The E-Benefits shutdown represents an inauspicious beginning to 2014 in the realm of federal cybersecurity. This recent hack has surfaced at a time when, despite reports that it has met industry standards for security, Healthcare.gov, the official site for Obamacare, is still insecure.
Additionally, a recent poll indicates that only half of Americans heard Obama speak about his reforms regarding the NSA’s ability to collect information last week. Of those who did listen to his remarks, a minority think that the President’s actions will make any difference.
The American people already have little to be confident about when it comes to the United States’ cyber security policy. Last week’s hack of the VA only confirms this point.
David Bisson | @DMBisson
Bio: David is currently a senior at Bard College, where he is studying Political Studies and writing his senior thesis on cyberwar and cross-domain escalation. He also works at the Hannah Arendt Center for Politics and Humanities at Bard College as an Outreach intern. Post-graduation, David would like to leverage his extensive journalism experience as well as his interest in computer coding and social media to pursue a career in cyber security, both its practice and policy.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.