It's been just over a year since the U.S. Department of Veterans Affairs disclosed that a laptop PC and external hard disk containing personal data on 26.5 million veterans and active-duty military personnel were stolen from the home of a VA employee.
The disclosure sparked widespread concern over the perceived lack of information security controls at the agency. It prompted a sweeping overhaul of the agency's IT organization including top-level personnel changes and a centralization of all IT development, operations and maintenance activities at the VA.
Both the laptop and disk were later recovered by the FBI, which also certified that the data had been untouched. Even so, the massive scope of the compromise and the attention it generated has driven considerable change in information security policies not just at the VA, but governmentwide, analysts and vendor executives said.
"Because of the sheer size of the VA breach, and because it was an issue that related to veterans, it really brought home the issue of security in a way that was not there prior" to the incident, said Geoff Gray, a lobbyist at the Cyber Security Industry Alliance, an industry advocacy group in Arlington, Va. "If the question is, 'What rises to a level to really draw the attention of policymakers,' this one did," he said.
Here are five lessons learned and steps taken in the wake of the data breach, according to analysts and vendors.