About 50,000 Department of Veterans Affairs personnel joined an unapproved, insecure social media tool that put data at risk, according to report from the agency’s watchdog.
The Office of the Inspector General found in an investigation that about 25,000 VA employees had actively used a Web-based social platform called Yammer since its adoption 2008, despite policy that forbid doing so. (VA, however, did allow the use of Yammer’s Notifier program in some instances.) About 25,000 more signed up for the service but did not activate their accounts.
The IG said Yammer — a Microsoft-owned social networking service for private communication within an enterprise — made VA information vulnerable because of the “relatively simple process to post.” Likewise, there was no network administrator appointed to oversee what information was shared on Yammer.
“Even though it was not authorized for use, or monitored, it quickly became widely used by VA employees, without ever going through the appropriate approval process or first meeting the standards set forth in VA Directive 6515,” the report concludes. “We found that VA Yammer did not have the required Web-based Collaboration Service Coordinator, resulting in no one individual ensuring that the social media site did not contain improper posts, such as VA sensitive data, inappropriate content, or a misuse of official VA time and/or resources.”
In its investigation, the IG found several instances in which VA users shared sensitive department information on the platform, which was not localized to the VA network — that is, anyone with an Internet connection could access it with an @va.gov email address.
What’s worse, the IG discovered, is that VA leadership promoted the unapproved use of Yammer. According to the report, former acting VA Chief Information Officer Stephen Warren used and showcased the program.
Warren “was responsible for providing oversight and guidance, as well as ensuring that, once approved, secure access was provided to it,” the report says. “Instead, he not only used the unapproved VA Yammer site to hold an open chat forum, but in a CIO message reminding users to comply with VA policy when using the unapproved site, giving the false impression that Yammer was approved for VA employees to use.”
The IG recommends that the proper offices evaluate Yammer for future use, and determine the appropriate administrative action to take against officials and employees who used it.
VA Chief of Staff Rob Nabors said the Office of Information and Technology will evaluate whether to approve Yammer for official use by Oct. 1. The department will also determine appropriate administrative actions for VA personnel who used Yammer in unapproved ways, Nabors said.