U.S. lawmakers on Thursday ripped into the U.S. Department of Veterans Affairs for a massive data breach announced this week, with one congressman calling for the resignation of the agency's leader.
The cost of fixing the data theft, involving the unencrypted personal records of 26.5 million veterans and their spouses, could cost "way north of $100 million" to fix, said VA Secretary R. James Nicholson, while speaking to the House Veterans' Affairs Committee. Asked what assurances he could give to veterans who could need help fixing credit problems or recovering lost money, Nicholson said he didn't know, without authorization from Congress.
Representative Bob Filner (D-California) questioned Nicholson's commitment to take responsibility for the data theft, which included Social Security numbers and information on health conditions. Filner and other members of the House Veterans' Affairs Committee also questioned why the VA waited until Monday to announce the data theft, which happened during a May 3 break-in of a VA analyst's home.
Nicholson's explanations about the incident were "incredibly bureaucratic," Filner said, in the first of two congressional hearings VA leaders faced Thursday.
"You said, 'I take responsibility,''' Filner said. "The most dramatic thing to do to take responsibility is resign. You tell [veterans], 'If you have any problems, call your credit bureau, call your bank.' Where is your responsibility in all this?"
VA Deputy Secretary Gordon Mansfield failed to tell Nicholson of the theft for 13 days, the secretary said. Nicholson is still reviewing disciplinary actions for Mansfield, the analyst who took home the data, and others at the VA involved, he said.
Nicholson called the theft "devastating," and said the failure of employees to notify him of the theft shows serious problems at the VA. "As a veteran myself, I must tell you I was outraged," he said.
Committee chairman Steve Buyer (R-Indiana) said the "intolerable" incident is part of a long history of VA officials resisting change in its IT infrastructure and its cybersecurity efforts. "I believe there's a damaged trust, angered veterans and their families, and there are systematic flaws," Buyer said.
Buyer suggested the agency offer a $1 million reward for the recovery of the missing data. "That million dollars is nothing compared to what we're about to spend" to fix the VA problems, he said.
The agency has received an F grade in four of the past five years on an annual cybersecurity review by the House Government Reform Committee.
So far, there's no indication that the stolen data has been used in identity theft schemes, Nicholson said. The VA has declined to give out details about the break-in, including the storage media, because the thieves may not know they have the data, he said.