Originally created 09/24/98

Security of government data questioned



WASHINGTON -- Your loan application is rejected -- because bank records list you as being dead. Impossible? Think again.

It happened to a woman in Naples, Fla., after a Social Security Administration employee who had a dispute with the woman changed her computer records. Federal investigators say the incident reflects the vulnerability of personal information in government computers.

"Government computers must protect national security and the public's private and sensitive information from unauthorized disclosure," Sen. Fred Thompson, R-Tenn., chairman of the Senate Committee on Governmental Affairs, said at a Wednesday hearing.

The hearing, the third on the security of government computer systems, focused on the Social Security Administration and the Department of Veterans Affairs.

In two reports released Wednesday, the General Accounting Office, the auditing and investigative arm of Congress, said personal information on computers at the two departments is vulnerable to alteration, improper disclosure or destruction by outside hackers. The information includes Social Security numbers and details on wages, disabilities and benefits.

Officials from both departments said they are aware of the shortcomings and were taking steps to improve security.

But employees can be a problem, too, said James Huse Jr., the Social Security Administration's acting inspector general.

Huse said the Florida case progressed after his office was tipped that an SSA employee had improperly changed the woman's computer record.

Huse said the victim and the employee, Jorge Yong, a claims representative in the district office in Belle Glade, Fla., had a disagreement over the Internet, which led to Yong being banned from the chat room they frequented. Because of the conflict, Yong later admitted, he doctored the woman's records to indicate her "virtual death."

Yong was sentenced in March to a year's probation and fined $800.

Another case, "Operation Pinch," found SSA employees had sold personal data on 20,000 people whose credit cards were later maxed out by members of a West African fraud ring. The financial losses were estimated to be at least $70 million, Huse said. The ongoing operation so far has resulted in 27 convictions, including a dozen Social Security Administration employees, he said.

Huse said employee fraud is a top priority. "Employees are made aware of the fact that the SSA has a zero tolerance for fraud," he said.

However, that appeared not to be the case at the VA, the GAO said.

Investigators found thousands of VA employees had far more access to files than necessary to do their jobs -- a problem also present at the Social Security Administration.

In addition, they found that former Veterans Affairs employees or those transferred weren't promptly removed from the list of authorized users.

GAO said the Department of Veterans Affairs' lack of a comprehensive computer security planning and management program aggravated the problem.

Harold Gracey, the department's acting assistant secretary for information and technology, said the agency was putting such a system in place.

Gene Dodaro, GAO's assistant comptroller general for accounting and information management, said agencies are becoming more aware, but the problem demands the attention of department heads as well as the administration.

"Agencies are beginning to take action but it has to be more than a reactive posture," Dodaro said.

Thompson was not encouraged. "They're not going to do that until they're told to do that," he replied.