House lawmakers, once again, are pressing the Veterans Affairs Department for more answers about how they are addressing their cybersecurity troubles.
Rep. Jackie Walorski (R-Ind.) sent a letter to Secretary Bob McDonald Dec. 15 asking for more details about the eBenefits website cyber breach that happened in January. VA reported the breach exposed the data of more than 5,000 veterans.
Meanwhile, Rep. Mike Coffman (R-Colo.) continues to wait to hear from VA about a letter from Nov. 21. In that correspondence, Coffman asks VA for copies of reports from Deloitte over the last two years relating to cybersecurity, IT and information management issues. Coffman also is asking about the Mandiant report VA commissioned and mentioned during a November hearing.
VA Chief Information Officer Stephen Warren said at the hearing that hired Mandiant to look at the agency’s domain controllers. He said their cyber experts initially reported the systems are clean from malicious software.
A committee staff member said members still are waiting for VA to deliver the final Mandiant report, which Warren said would be finalized in December.
Both letters are part of an ongoing investigation by the committee about VA’s challenges in securing veterans’ data and its networks.
“VA takes the protection of Veteran information seriously,” a VA spokeswoman said. “VA is working to provide thorough responses to the Committee’s questions.”
Walorski’s renewed interest in the nearly year-old data breach stems from a story about a veteran in Southwest Florida who twice had his account hacked in two months.
“Individuals broke into Frank Taylor’s account and created a fake online profile through the eBenefits system in order to steal his disability compensation,” Walorski wrote. “Mr. Taylor received absolutely no notification that there were changes to his account. The fact that eBenefits does not check a veteran’s information within his or her existing account, and is unable to tell if there is a discrepancy between an account already registered through the VA and an account set up online is unacceptable.”
Walorski said VA has offered the committee assurances several times that the eBenefits system and its data are secure, yet “security incidents continue to occur on a regular basis.”
Walorski asked VA to respond to four questions by Jan. 9:
“How is VA enhancing reporting procedures which identify potential security breaches, and improving notification to veterans when changes are made to their accounts?
“Someone allegedly set up an eBenefits account for Mr. Taylor, although he never set up an account himself. How does VA reconcile the information of veterans receiving benefits who never have electronically registered with eBenefits, with the information of those already registered in the system?
“Mr. Taylor had his eBenefits account deactivated Oct. 17, so it would not be hacked again. However, after the deactivation of his account, he continued to not receive his money because the account was breached a second time. How will VA ensure that victims who have been hacked once will not be hacked again?
“How many eBenefits accounts have been deactivated and how many have fraud alerts placed on them in order to prevent future attacks?”
“It is clear that the agency’s information systems, including the eBenefits portal, continue to be afflicted by persistent information security weaknesses,” Walorski said. “Recognizing the importance of securing veterans’ personal information, and minimizing further instances of identity theft or other fraudulent activity, my colleagues on the House Veterans Affairs Committee and I expect VA to take all the steps necessary to strengthen the security and privacy of the eBenefits portal.”
Walorski and committee members’ patience with VA has been wearing thin for the better part of a year. She introduced the Veterans Information Security Improvement Act in April, which many experts said was as prescriptive of a bill for cybersecurity as they had ever seen.