The inspector general for the Department of Veterans Affairs has substantiated allegations that the VA was transmitting sensitive data, including personally identifiable information and internal networking routing information, over unencrypted telecommunications carrier networks, potentially jeopardizing the information and networks.
IT managers said they accepted the security risk of potentially losing or misusing the sensitive information exchanged via a waiver, but the IG said the use of a waiver in this case was inappropriate.
Without controls to encrypt the sensitive VA data transmitted, veterans’ information may be vulnerable to interception and misuse by malicious users as it traverses unencrypted telecommunications carrier networks, the IG concluded, adding that malicious users could obtain VA router information to identify and disrupt mission-critical systems.
