Last week, an online Veterans Affairs benefits portal had a software glitch. According to VA officials, anyone who could log into the system last week would have seen exposed private information from military veterans. The problem arose off of a joint VA and Defense Department site that allows veterans and their families to access the various medical and educational benefits the veteran qualifies for, disability claims the veteran is applying for or receiving, bank information and military personnel records, among other sensitive data. It didn’t matter whether the information was current or from past veterans, all information were among the information made available via the data breach.
The first estimates to come out on what the damage is reports that more than 5,300 users may have been affected by the glitch, according to a VA official with knowledge of the situation. When the glitch first happened Wednesday, the VA shut down the eBenefits system for most of the week, bringing it back online on Sunday.
The VA said of the situation, “VA took immediate action upon discovering the software defect and shut the eBenefits system down in order to limit any problems.” The agency continued to say in a statement on Tuesday that it “conducted a full review of the software issue and reinforced its security posture, after determining that the defect had been remedied and the portal was functioning properly.”
“We offer our sincere apologies to any service member, veteran or family member impacted by the software defect and downtime,” the VA said. An internal VA memo says that about 20 veterans contacted the agency on January 15 to report that they could see the accounts of other users when they logged onto the site.
Reports and articles began to tell about the problems on January 17. In one of the articles from FedScoop, they quoted a veteran saying that he accidentally changed the information of another user before noticing the glitch, suggesting veterans were able to alter other veterans’ accounts, as well as their own, by just logging into the system.
“I went into my folder to check on the status of my claim and it said ‘sexual trauma’,” one veteran who experienced the glitch said. “It definitely was not mine. There were also lines of erroneous web code. You could tell there was a coding software error.”
Asking to remain anonymous out of fear of retaliation, the veteran, who has a computer background, said he then logged off the site completely, but again encountered the same error.
“I logged off, logged back in and it was the same thing,” he said. “Every time I’d log back in, I would get another person’s information.”
The VA said it is currently reviewing the mishap and is currently in the process of determining an exact number of users impacted by the glitch. According to the VA, the eBenefits system is used by about 3.4 million users, and the VA it will provide free credit monitoring for any affected individuals of this glitch.
This data breach is not the first time the VA has had privacy issues. In 2012, thousands of veterans had their personal information compromised when the VA released data to Ancestry.com and posted it. In 2009, the VA agreed to pay $20 million to veterans for exposing them to possible identity theft in 2006 by losing some of the veterans’ sensitive, personal information.
The VA’s IT security practices have been under the scrutiny and investigation of the House Veterans Affairs Committee sin last year. Its members have been questioning the agency since at least June, when the panel learned that its computer network had been compromised by multiple individuals since March 2010.
In a June letter to VA Secretary Eric Shinseki, Representative Jeff Miller, from Florida, and Representative Michael Michaud, from Maine, who head the committee, wrote: “It is known for certain that some of the areas in the system that were compromised included unencrypted personally identifiable information regarding veterans and their dependents.”
Since then, members of the panel have sent dozens of questions to Shinseki about the VA’s IT security practices. Some lawmakers have grown frustrated with the agency’s response times. Miller has sent weekly letters to the secretary listing the outstanding information requests.