Sunday, April 1, 2007

Dynamic Security with the IDentiWall option could resolve the issue for them

Failed VA security contract was 'an open checkbook,' report says

Jaikumar Vijayan


March 29, 2007 (Computerworld) A 10-year, $103 million contract for a security incident response center at the Department of Veterans Affairs (VA) had to be aborted after less than three years because of funding problems caused by bad planning and administration.

Instead of yielding a state-of-the-art security readiness and response capability, the contract became "an open checkbook" that resulted in the award of nearly two dozen noncompetitive task orders, inflated prices, overpayments and unaccounted-for equipment purchases totaling $35 million.

Those are just some of the findings of an audit by VA Inspector General George Opfer into the planning, award and administration of the Central Incident Response Capability (CIRC) contract awarded to the Veterans Affairs Security Team LLC (VAST) in July 2002. VAST was incorporated as a Texas-based limited liability corporation one week before the contract was awarded. The now-defunct company was owned by several small businesses led by Washington-based SecureInfo Corp.

According to Opfer's report, much of the problems with the $102.7 million CIRC contract had to do with the addition of requirements for a Managed Security Services (MSS) component. While there appears to have been adequate acquisition planning for the CIRC requirements, there is no evidence of similar planning for MSS requirements, the report said. In fact, it is still unclear when the decision was made to include MSS requirements in the CIRC contract. There is also no documentation to show that the VA's program office considered at any point whether it would make sense to award separate contracts.

"We found that deficiencies in the planning, solicitation, evaluation of proposals, award and administration of the contract for MSS resulted in uncontrolled spending, overpayments and illegal contracting actions that resulted in the ultimate demise of the contract due to lack of funding," Opfer said in his report.

One modification -- made three months after the contract was awarded to VAST -- added new language that changed the MSS component from a firm fixed-price contract to a so-called Indefinite Delivery Indefinite Quantity contract. "The modification allowed VA to issue task orders to fill requests from field facilities and Office of Cyber Security for MSS at additional cost," Opfer said in his report. The VA began issuing such task orders in August, shortly after the contract was signed -- even though the contract change that legitimized such orders was not made until October, the report said.

Under the original pact awarded to VAST in 2002, $82.9 million was earmarked for recurring labor costs over 10 years, with the remaining $19.8 million meant for equipment and supply costs. But because of the task orders, the potential value of the contract shot up from $102.7 million to about $250 million. Though this sort of a "cardinal change" was prohibited, it was still approved by the VA's Office of General Counsel. That approval came one day after counsel asked for an opinion on the modification by the officer in charge of the contract, Opfer noted in his report.

"This made the contract an open checkbook in that it resulted in the award of 22 noncompetitive task orders valued at approximately $48.6 million, with little assurance of price reasonableness and no planned funding," the report said. At least 17 of the task orders were out of scope and thus prohibited changes under the original contract, Opfer said in his report.

A lack of clarity surrounding the modifications may have resulted in VAST being overpaid about $3.8 million for MSS services it never delivered and an additional $4.7 million in duplicate payments. On top of that, the VA also spent about $35 million on equipment and supplies, but has no record of what the equipment is or where it may be. Because the VA revised the tasks that were the basis of the original award -- and sought new proposals from VAST -- it wound up paying about $6.76 million more than had been earmarked for the original contract in the first year.

As a result of the errors, the VA managed had spent about $91.8 million in less than three years when the plug was pulled.

Opfer's report also blasted the VA's vendor selection process. Little due diligence appears to have been put into evaluating vendor qualifications and ensuring that the prices being quoted were reasonable.

For instance, the CIRC contract was specifically meant for small businesses, which VAST was not, Opfer said. VAST, in its original response to the VA contract, described itself as a joint venture involving six small businesses teamed with three large businesses -- Compaq, Signal and SAIC. Such an association should have automatically disqualified VAST as a small business, the report said.

Just before the contract was awarded, VAST also changed its status from joint venture to limited liability corporation with no small business status. And because VAST appeared to have no assets, the VA may be hard-pressed to recover any excess money it paid the company, the report said.

Christopher Fountain, CEO of SecureInfo, disagreed with Opfer's conclusions and denied that VAST had been overpaid during its work for the VA. "At no time during the review were we alerted to any such concerns" by the IG's office, Fountain said. "They never told us they had found anything" that was a cause for concern during the review, he said.

In fact, when the contract was allowed to expire, it was VAST that incurred "several million dollars in liability" resulting from equipment purchases and other expenses, he said. Fountain also disagreed with Opfer's conclusion that VAST was not a small business. He maintained that the company was in fact a small business at all times during its contract with the VA.

"We believe that the government realized great value from the work we did perform for them," Fountain said. "We believe we [set up] one of the most advanced security operations center in the federal government."

Also disagreeing with Opfer's finding was the VA's acting general counsel. In a statement responding to Opfer's audit, the general counsel's office maintained that the modifications made to the CIRC contract were legal.

But Robert Howard, the assistant secretary of IT for VA, said in a response that he concurred with the report's findings and had launched an inventory of equipment as recommended by Opfer.

The VA did not respond to a request for comment.


IDentiWall is the solution for human errors

TJX data breach: At 45.6M card numbers, it's the biggest ever

Jaikumar Vijayan


March 29, 2007 (Computerworld) After more than two months of refusing to reveal the size and scope of its data breach, TJX Companies Inc. is finally offering more details about the extent of the compromise.

In filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipses the 40 million records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst ever involving the loss of personal data.

In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was also stolen. The company is in the process of contacting individuals affected by the breach, TJX said in its filings.

"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said.

Framingham, Mass.-based TJX is the owner of a number of retail brands, including T.J.Maxx, Marshalls and Bob's Stores. In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the U.S., Canada, Puerto Rico and potentially the U.K. and Ireland.

At the time, TJX said it believed the intrusion took place in May 2006 but wasn't discovered until mid-December -- seven months later. A few weeks later, the company revised those dates and said that an investigation by IBM and General Dynamics, two companies it hired in the wake of the breach discovery, believed the intrusion may have taken place in July 2005.

Several banks and credit unions around the country and in the other affected regions had to block and reissue thousands of payment cards as a result of the breach.

In its filing, TJX confirmed that its systems were first accessed illegally in July 2005 and then on several occasions later in 2005, 2006 and even once in mid-January 2007 -- after the breach had already been discovered. However, no data appears to have been stolen after Dec. 18, when the intrusion was first noticed.

The systems that were broken into were based in Framingham and processed and stored information related to payment cards, checks and merchandise returned without receipts. The data breach affected customers of its T.J.Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico. Also affected were customers of its Winners and HomeSense stores in Canada and TK Maxx stores in the U.K.

It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said. It did not elaborate on the technology it was referring to.

Customer names and addresses were not included with any of the payment card data believed stolen from the Framingham systems, TJX said. Also, the company "generally" did not store Track 2 data from the magnetic stripe on the back of payment cards for transactions after September 2003, TJX said. Also by April 3, 2006, the company had begun to mask payment card PIN data and "some other portions of payment card transaction information" as well as check transaction information, the company said.

"We are continuing to try to identify information stolen in the computer intrusion through our investigation, but other than the information provided ... we believe that we may never be able to identify much of the information believed stolen," TJX said.

The company has so far spent about $5 million in connection with the breach, although it is hard to say what other costs may be incurred, the company warned. It cited several lawsuits that have been filed against it since the breach was announced. The company was sued recently by the Arkansas Carpenters Pension Fund, one of its shareholders, for its failure to divulge more details about the breach.

Avivan Litan, an analyst with Stamford,Conn.based Gartner Inc., expressed surprise at the scope of the breach. "I had heard rumors that it was bigger than CardSystems, but I was still somewhat shocked it was actually this big."

The number involved in the breach "makes this the biggest card heist ever," she said. "It proves there are still very sophisticated cybercriminals out there at large who have the potential to wreak havoc on pure-payment systems and who have already stolen millions of dollars from consumers and financial institutions," she said.

"If this isn't a wakeup call for stronger card and payment system security, I'm not sure what is," she said.

TJX's disclosure comes just days after six Florida residents were arrested for allegedly launching a multimillion-dollar statewide credit card fraud ring using information stolen from the company. Losses experienced by Wal-Mart Stores Inc. and other retailers because of the fraud have so far totaled at least $8 million.


Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc