Unsecured webpage put 7,000 vets at risk for years

The website flaw has been fixed, but the VA is planning further investigation of possible exfiltration of data from its network.

Shutterstock image for a line of faulty code.

The Department of Veterans Affairs has disclosed a security flaw in a patient database that put information on more than 7,000 veterans in public view.

The information, including names, Social Security numbers and birthdates was contained in a single document that could be accessed via a specific web address on a public facing telehealth website run by a Veterans Health Administration contractor. The name of the contractor was not released. The flaw was first reported to the VA on Nov. 4, and was publicly announced in a Christmas Eve news release.

According to a VA incident report released by the agency, the personal information was exposed for several years. The web address was not linked within the site, per the incident report, and a user would have to have knowledge of the address to access the document.

The VA was alerted to the security flaw via an anonymous email, believed to have been sent by a contractor employee, which included personal information on five veterans. The email was sent to senior leaders at VA, triggering an investigation. The security flaw was quickly patched with the assistance of the VA's Network and Security Operations Center (NSOC), and monitoring services were offered to 7,054 veterans whose information was potentially compromised.

A VA spokesperson contacted by FCW didn't clarify whether the anonymous source for the security flaw was acting as a whistleblower, or had some other agenda. The incident report indicates that the vendor identified and fired one employee as the likely culprit, although that employee denied being the source of the email. An NSOC review of the vendor's user logs couldn't definitely conclude who had accessed the data, or whether the entire contents of the database were compromised. The document in question was accessed, according to usage logs, but it's not known by whom, or whether the information was copied by the user.

VA is a popular target for cyber criminals. Network defenses detected more than 15 million intrusion attempts in November alone, and blocked more than 88 million suspicious inbound emails. The Einstein 3 network monitoring tool operated by the Department of Homeland Security is the first line of defense for the agency, and regularly deflects millions of potentially risky inbound emails and other possible attacks.

But even with Einstein 3 in place, the VA still has work to do to satisfy internal security auditors. The VA flunked its fiscal 2014 audit as required under the Federal Information Security Management Act. In a November call with reporters, VA CIO Stephen Warren said that outstanding fixes from the 2013 FISMA report needed to be put in place, and that the 2014 report, due out in March, will seek improved standardization in system configuration and tighter access controls.

Although the website flaw has been fixed, the VA is planning to further investigate the possible exfiltration of the veterans' data from the VA network, according to the incident report.