The Veterans Affairs Department is changing how it answers large-scale Freedom of Information Act requests to protect against further cyber breaches.
VA is taking these steps after it gave Ancestry.com the Social Security numbers and the date of births of more than 2,200 living veterans initially presumed deceased.
A daughter of a living veteran found her father’s personal information on Ancestry.com and alerted VA of the data breach.
“We went back and scrubbed through 14.7 million records and found 2,257 individuals who were marked in that report as deceased that we have since determined were not,” said Roger Baker, VA’s assistant secretary for information and technology and chief information officer during a conference call with reporters Wednesday on VA’s monthly data breach report to Congress. “Because their information was released to Ancestry.com and posted on the website, they will get credit monitoring notification letters.”
Baker said the likelihood of any of that information being looked at was small because the way the site works. He said someone would have to look up a specific person to have found their personal data.
VA’s investigation into the data breach found a hole in their FOIA process.
Baker said one office at VA didn’t communicate with the FOIA office about the problems in the database.
“We have put in some fairly extensive firewalls to make sure this doesn’t happen again,” he said. “We have put in place as part of our internal notification, our daily notification, on issues, that any significant FOIA disclosures would be included in that notification to make sure it gets out fairly broadly and everybody has a chance to raise a hand if they believe there is a reason not to do that.”
Baker said VA knows Ancestry.com was the only FOIA requestor to have received this dataset.
“We have not seen this issue with any other FOIA response that we have provided from any of our databases that I’m aware of,” he said.
The data breach also happened because VA has different rules for releasing information about deceased veterans than they do for living ones.
“On those who are deceased, we have a requirement to release certain information that we would be prohibited from releasing on those who are still living,” he said. “Unfortunately, because of the way we receive the data, occasionally we receive erroneous reports of death, which in the normal course of business we end up working back through and remarking the individual as not deceased.”
VA wants to make sure every veteran gets notified and understand their offer for credit monitoring services.
While this is not a huge data breach compared to what happened to VA in 2006 when it lost the data of more than 26 million veterans, Baker still termed it significant.
“We believe we handled it appropriately,” he said. “Our IG or the GAO or other folks may decide to do some investigation on what caused this to happen and have we adequately dealt with how to make certain it doesn’t happen again. I think that’s something would be probable given this. It’s an unfortunate incident, but it’s also why we have some of the processes and procedures that we’ve got because we know we will have to deal with these things given how much information we deal with.”