The software glitch that forced the Department of Veterans Affairs to take down the eBenefits Web portal over the weekend may have affected far more veterans than initially reported and enabled anyone who was logged in to alter the personal information contained in an unknown number of records.
VA has been investigating a problem with the joint VA-Defense Department eBenefits system since Jan. 15, when several veterans reported being able to see the personal information belonging to other veterans when they logged into the system. An internal VA memo obtained by FedScoop showed approximately 10,000 veterans had logged into the system during the time frame when the glitch was discovered.
But new video footage obtained by FedScoop from Eric Grzelak, a disabled veteran who has tried unsuccessfully to alert VA to the problems, shows the glitch exposed the private records of multiple veterans for every person who was logged in. In addition, Grzelak's video evidence shows it was possible to alter the records, placing at risk the private information of potentially tens of thousands or more veterans.
"I could see someone's name, date of birth, Social Security number, what disabilities they had [and] how much they got paid," Grzelak told FedScoop. "Everything you would look at would pull up someone else's info. It would change every time you refreshed the page."
FedScoop has agreed not to show the video footage because it reveals the private information belonging to Grzelak and other veterans.
Grzelak first became aware something was wrong with the system when he logged into the portal to check on the status of a claim. But instead of showing Grzelak's benefits summary, it displayed an application for an increase in compensation based on unemployment belonging to a different veteran.The application included the veteran's name, address, telephone number, Social Security number and VA file number.
Grzelak immediately tried to edit his own claim. But that page asked him to verify an address he didn't recognize.
"I thought it was a security thing to verify it was me, so I said no," Grzelak said. "Then, I put my address in. When I hit next, it pulled up some random guy with all his info, [but] with my address that I just updated. So you could change people's info if you wanted. So I'm not sure if this poor guy's stuff is going to start coming to my house."
The eBenefits portal is managed jointly by VA and DOD, and allows veterans and their dependents to access their medical and educational benefits, claims and a wide variety of forms and military documents. Included in that information is the ability to update direct deposit information, generate home loan certificates of eligibility, view DOD TRICARE medical information, military personnel records and VA payment histories.
More than 2.8 million veterans living in 180 countries have registered with the portal, which recorded more than 4.3 million visits in 2013.
The eBenefits portal was back online late Sunday night, but there was no mention of why the site had been down or if veterans should check their accounts for accuracy. Grzelak said he did not see any problems when he logged in around 11 p.m. ET.
"I think its a huge deal that I was able to change someone's info," Grzelak said. "Everyone needs to check now to make sure all their information is correct. I mean, you could change anything -- bank info, home address. It was all open."