About 50,000 Department of Veterans Affairs personnel joined an unapproved, insecure social media tool that put data at risk, according to report from the agency’s watchdog.
The Office of the Inspector General found in an investigation that about 25,000 VA employees had actively used a Web-based social platform called Yammer since its adoption 2008, despite policy that forbid doing so. (VA, however, did allow the use of Yammer’s Notifier program in some instances.) About 25,000 more signed up for the service but did not activate their accounts.
The IG said Yammer – a Microsoft-owned social networking service for private communication within an enterprise – made VA information vulnerable because of the ‘relatively simpleprocess to post.’ Likewise, there was no network administrator appointed to oversee what information was shared on Yammer.
‘Even though it was not authorized for use, or monitored, it quickly becamewidely used by VA employees, without ever going through the appropriate approvalprocess or first meeting the standards set forth in VA Directive 6515,’ the report concludes. ‘We found that VAYammer did not have the required Web-based Collaboration Service Coordinator,resulting in no one individual ensuring that the social media site did not contain improperposts, such as VA sensitive data, inappropriate content, or a misuse of official VA timeand/or resources.’
In its investigation, the IG found several instances in which VA users shared sensitive department information on the platform, which was not localized to the VA network – that is, anyone with an Internet connection could access it with an @va.gov email address.
What’s worse, the IG discovered, is that VA leadership promoted the unapproved use of Yammer. According to the report, former acting VA Chief Information Officer Stephen Warren used and showcased the program.
Warren ‘was responsiblefor providing oversight and guidance, as well as ensuring that, once approved, secureaccess was provided to it,’ the report says. ‘Instead, he not only used the unapproved VA Yammer site tohold an open chat forum, but in a CIO message reminding users to comply with VApolicy when using the unapproved site, giving the false impression that Yammer wasapproved for VA employees to use.’
The IG recommends that the proper offices evaluate Yammer for future use, and determine the appropriate administrative action to take against officials and employees who used it.
VA Chief of Staff Rob Nabors said the Office of Information and Technology will evaluate whether to approve Yammer for official use by Oct. 1. The department will also determine appropriate administrative actions for VA personnel who used Yammer in unapproved ways, Nabors said.