The Washington Post reports that the department's former chief information security officer Jerry Davis, who left the position in February 2013, testified that the Veterans Affairs Department 's computer networks have been targeted for the last three years - and still are - and that there were multiple successful compromises (and some unsuccessful) at the hands of at least eight foreign-sponsored organizations.
Davies said that information such as Social Security numbers and dates of birth have definitely been accessed, and some of it encrypted and exfiltrated from the compromised computers.
Representative Mike Coffman, chairman of the subcommittee, shared that "the entire veteran database in VA, containing personally identifiable information on roughly 20 million veterans, is not encrypted, and evidence suggests that it has repeatedly been compromised since 2010 by foreign actors, including in China and possibly in Russia.”
On the other hand, Stephen Warren, who is acting assistant secretary for information and technology at the VAD, said that he was aware of only one compromise, adding that there were additional hack attempts by more than one foreign entity.
According to him, not all of these attacks were by state-sponsored entities - some were organized and executed by cyber crime syndicates looking for information they could sell or use themselves to perform identity and credit card theft.
What is sure is that internal investigators have, sadly, found over 4,000 weaknesses and vulnerabilities within the department's networks that are still waiting to be resolved and patched.
My suggestion? Start with encrypting sensitive data.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.