Computer hackers operating from foreign countries have been stealing information for the past three years from the Department of Veterans Affairs (VA) unencrypted database, which contains personal information on about 20 million American veterans.
The VA database includes the names of veterans and their dependents, Social Security numbers, dates of birth and protected health information.
John Stovall, director of The American Legion's National Security/Foreign Relations Division, said the repeated cyber-theft of VA information "is shocking, given the fact that federal agencies and private-sector businesses have been under such attacks for several years. It is completely unacceptable that the VA would leave such a massive, sensitive database unencrypted and vulnerable."
At a June 4 hearing of the House Committee on Veterans' Affairs, VA official Stephen Warren claimed that only one nation – which he did not identify – has penetrated VA's computer network in the past year. That claim was contradicted by another panelist, Jerry Davis, VA's former deputy assistant secretary for information security. He said he knew of at least eight foreign-sponsored organizations that have broken into VA's network.
Stovall said "the most likely culprits are computer hackers in China and Russia, either working for the government or else organized crime. Any gang of cyber-thieves committing financial fraud would also have an obvious interest in stealing personal information. Because VA has failed to protect its network sufficiently, many of our nation's veterans are at risk from identity theft, credit fraud and other crimes committed in cyberspace."
The American Legion passed two resolutions at its national convention last August that dealt with cyber-security. One  called on Congress "to appropriate the necessary funding to combat the continuing cyberspace warfare threats to the United States in the 21st Century"; the other  urged the federal government "to immediately take such action as may be appropriate and necessary to effectively fund and staff federal intelligence and security agencies at a level that will help protect the United States from foreign espionage, organized crime, terrorism, and subversive activities."
Auditors in VA's Inspector General office have reported that, in addition to taking data, hackers also took control of domain controllers, which allowed them to have full access to VA's network.
Warren said at the hearing that he was confident in the steps taken by VA to meet cyber-security challenges. One initiative, the Continuous Readiness Information Security Program, is expected to be fully implemented later this year. VA also has a plan in place that will address 32 cyber-security recommendations by its own Inspector General. Committee member Rep. Mike Coffman, R-Colo., asked VA to submit a report within 30 days on exactly how it plans to act on those recommendations.