WASHINGTON — A software glitch with a Department of Veterans Affairs benefits portal allowed users to access one another’s private information, alarming some veterans groups and lawmakers, who see the incident as the latest manifestation of an ongoing security problem.
The issue arose last week on a joint VA-Defense Department site that allows veterans and their dependents to access medical and educational benefits, disability claims, bank information and military personnel records, among other sensitive data.
More than 5,300 users may have been affected by the glitch, according to initial VA estimates.
VA shut down the eBenefits system on Jan. 15 and brought it back online Sunday. The agency said in a statement Tuesday that it “conducted a full review of the software issue and reinforced its security posture, after determining that the defect had been remedied and the portal was functioning properly.”
“We offer our sincere apologies to any service member, veteran or family member impacted by the software defect and the downtime,” VA said.
An internal VA memo says about 20 veterans contacted the agency on Jan. 15 to report that they could see the accounts of other users when they logged on.
The defect has raised concerns among lawmakers and veterans organizations. Some of the groups say their members are growing weary of such mistakes.
“We’ve seen VA expose sensitive information about veterans before,” the American Legion’s national commander, Daniel Dellinger, said in a statement Wednesday. “Now it has happened with the relatively new eBenefits website. How can VA expect our veterans to file for benefits online when they may be risking identity theft by doing so?”
In a statement Wednesday, Rep. Jeff Miller, R-Fla., chairman of the House Veterans Affairs Committee, criticized VA for a “string of alarming IT security setbacks” and called on the department to offer credit-monitoring services to every veteran and dependent in its database. He also said that VA Secretary Eric Shinseki must hold the agency’s leadership accountable for the “ongoing failures and unreasonable risks in IT security.”
Rep. Mike Michaud, the ranking Democrat on the committee, said, “Failures need accountability, but right now I’m more interested in moving forward quickly to determine the full extent of any problems and identify the fixes. Chairman Miller and I are united in our concern over this issue and in our commitment to getting a solution for our veterans.
“As we saw with the latest incident involving Target, safeguarding personal information from cybersecurity threats and software glitches is becoming ever-more critical not only for our veterans, but for all Americans. VA must be results-oriented and must take additional steps to safeguard this information and identify areas where new security measures need to be taken,” he added.
VA said it is reviewing the mishap and will determine an exact number of users affected by the glitch. The agency also said it will provide free credit monitoring for any affected individuals.
The eBenefits system has about 3.4 million users, according to VA.
The House committee has been investigating VA’s IT security practices since last year. The panel learned during a June hearing that the agency’s computer network had been compromised by multiple individuals since March 2010, prompting a series of inquiries from lawmakers.
Miller and Michaud wrote Shinseki in June requesting information about earlier problems.
“It is known for certain that some of the areas in the system that were compromised included unencrypted personally identifiable information regarding veterans and their dependents,” the letter said.
Since June, lawmakers have sent dozens of questions to Shinseki about VA’s information security practices, and some have grown frustrated with the agency’s response times. Miller has issued weekly letters to the secretary listing the outstanding information requests.
VA said in a statement Wednesday that it “respects Congress’ important oversight role and is committed to providing timely and accurate information.” The agency added that it has dealt with more than 85,000 congressional requests during the past four years.
The problems with the eBenefits site were first revealed on the online news site FedScoop.
On Monday, the site quoted a veteran saying he accidentally changed the information of another user before noticing the glitch, suggesting veterans were able to alter accounts other than their own.