The Office of Management at the U.S. Department of Veterans Affairs (VA) disclosed a security incident involving the personal data of 46,000 veterans.
The VA detailed the data breach in a statement published on its website on September 14. According to this press release, the VA's Financial Services Center (FSC) discovered that unauthorized actors had accessed one of its online applications for the purpose of diverting payments to community providers of health care services for veterans. Upon making this discovery, the FSC took its application offline and notified the VA's Privacy Office about the security incident. The Privacy Office subsequently launched an investigation into the data breach. This effort revealed that those unauthorized actors had acquired access to the FSC's online application by using social engineering techniques and by exploiting authentication protocols. VA officials noted that they would not restore system access until the Office of Information Technology had completed a review of the Department's security measures. In the meantime, they indicated that they would begin notifying victims. As quoted in the press release:
To protect these Veterans, the FSC is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information. The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised.
The data breach discussed above wasn't the first security incident at the VA to make headlines. Back in 2006, news emerged of an unknown actor having robbed a Department employee's home. That actor made off with a laptop and external hard drive containing the personal information of 26 million veterans, reported ZDNet. The Inspector General published a report after the incident in which it chided the VA for having acted "with indifference and little sense of urgency" after having learned of the data breach.