Senators question White House FISMA compliance
July 01, 2015
A pair of senators say the White House hasn't reported its cybersecurity status to Congress in three years.
Dan Verton is FedScoop's Editorial Director. A veteran technology journalist with 20 years of experience covering the federal government, Dan is a ...
Editor's note: Story has been updated to include a statement from VA.
The Department of Veterans Affairs is investigating a problem with the joint VA-Defense Department eBenefits system after several veterans reported being able to see the personal information belonging to other veterans when they logged into the system.
As of 3 p.m. ET, the eBenefits Web portal was offline, instructing veterans experiencing a medical emergency or in need of immediate crisis counseling to go to their nearest emergency room or to call 9-1-1.
An internal VA memo from the Corporate Data Center Operations in Austin, Texas, obtained by FedScoop, said the incident occurred Jan. 15 at 10 p.m. ET when 20 veterans called the VA help desk complaining the eBenefits system had presented them with information belonging to other veterans.
"Veteran A was able to access any of the information available in eBenefits for Veteran B, but it is unknown if Veteran A moved past the initial welcome page," the memo states. "VA IT specialists are investigating whether or not logs can be pulled showing which pages were accessed. Approximately 10,000 users logged in to eBenefits on Jan. 15 so IT specialists are investigating in attempt to narrow the time frame of when the incident began and ended."
The eBenefits portal is managed jointly by VA and DOD, and allows veterans and their dependents to access their medical and educational benefits, claims and a wide variety of forms and military documents. Included in that information is the ability to update direct deposit information, generate home loan certificates of eligibility, view DOD TRICARE medical information, military personnel records, and VA payment histories. More than 2.8 million veterans living in 180 countries have registered with the portal, which recorded more than 4.3 million visits in 2013.
CDCO is a unique public-private data center partnership known as a Franchise Fund Organization. Authorized by the Government Management Reform Act of 1994, CDCO manages more than 1,800 servers for a multitude of government agencies. It operates on a fee-for-service basis, rather than receiving direct federal funding.
VA said in a statement Friday afternoon the incident stemmed from a "software defect" introduced "during a process to improve" the system.
Once the number of users affected by the problem is determined, VA "will take the appropriate response, which may include free credit monitoring for the affected individuals," according to the statement.