By JAMES W. CRAWLEY
Media General News Service
February 28, 2007
WASHINGTON - While the Department of Veterans Affairs reeled last year
from the theft of a computer loaded with personal data on 26.5 million
vets, VA officials wasted as much as $135,000 on a bungled analysis of
the missing information.
A report by the VA's inspector general is a tale of favoritism, a
late-night contract award, inept contractor employees, expensive
restaurant meals and a sabotaged office computer.
The agency's inspector general, in the little-noticed report released
this month, sharply criticized the hiring of Internet Security Systems,
an Atlanta-based firm, and VA officials who approved the contract.
The report by the internal watchdog said several VA officials violated
federal regulations, did little to monitor the contractor's work and
rebuffed VA employees questioning their actions.
"As a result of these actions, VA significantly overpaid for the
services provided," the report concluded.
The VA should recoup money from the contractor and reprimand several
current employees, the inspector general recommended.
The VA "is working aggressively to implement the recommendations," said
spokesman Matt Burns. He would not say if any money had been reimbursed
or how many employees, if any, have been reprimanded.
After the theft of a VA employee's personal laptop computer and a hard
drive that contained millions of veterans' Social Security numbers and
personal information last May, the inspector general's office obtained
17 compact discs that the employee had used to transfer data from his
office computer to his home computer.
After examining the discs, the inspector general's office turned them
over to the VA's computer security office June 1, 2006.
That day, the VA's top computer security official, Pedro Cadenas Jr.,
approved a no-bid contract to Internet Security Systems to determine how
much information about veterans was missing and report its findings
within a few days. Total price was not to exceed $12,768.
Also that day, the inspector general's office released the results of
its similar analysis of the discs to top VA officials, who used the
information in public comments about the scope of the problem.
Internet Security Systems obtained the contract because Cadenas had "a
personal relationship with high-level ISS officials," the report said.
Three phone messages at Cadenas' home in Leesburg were not returned.
Internet Security Systems spokeswoman Heidi Litner said the firm is
cooperating, but she declined further comment Tuesday.
Internet Security Systems has offices worldwide and contracts with many
federal agencies and large corporations to protect computers against
hackers. IBM bought the firm for $1.3 billion last year.
>From the start, Internet Security Systems had trouble doing the work.
Company employees tried unsuccessfully for nine hours to read the data -
even though it was stored in a common database language used by tens of
thousands of government agencies and corporations. Finally, a VA
official intervened and used his computer to translate the data into a
format the contract employees could use.
The next day, Friday, June 2, Cadenas ordered more data analysis from
the company, but a VA contracting officer balked because federal law
required competitive bids.
So, at 10 that Friday night, the VA sent a bid request to five
prospective vendors, including Internet Security Systems. The deadline
for bids was 1 a.m., Saturday, June 3 - three hours later.
Only Internet Security Systems and another firm bid.
In an e-mail from his Northern Virginia home at 4:03 a.m., June 3,
Cadenas picked Internet Security Systems for the additional data
A few days later, the company was given its first task under the new
contract - 385 hours of analysis. The inspector general estimated the
analysis should have taken 48 hours - not 385.
Internet Security Systems has billed the VA $202,418 for work on the
late-night contract. The VA has withheld payment, the report said.
On June 23, Cadenas asked the company to do a third job: create a
database using veterans' information found on the compact discs.
Five days later, police recovered the stolen laptop with the personal
data intact. Authorities determined that no identity theft occurred.
On June 29, Cadenas announced he was resigning July 14 and went on paid
Internet Security Systems continued building the new database. After
finishing it in mid-July, the VA paid the firm $119,042 for the new
database. In the report, the inspector general said there had been no
need to complete the new database.
Internet Security Systems has received a total of $135,554 from the VA,
including $16,512 paid on the initial no-bid contract. And the VA is
still holding the bill for $202,418.
What did the VA get in return?
Besides a database that wasn't needed, the agency got a pile of expenses
reports with few receipts or explanations, the inspector general
The firm billed $20,646 for airfare and hotel expenses. A worker
submitted restaurant bills of $137, $152 and $266 for separate meals -
on a contract in which $64 for three meals per day was the maximum
The same worker also charged the VA $154 to buy a software manual.
Another worker claimed $215 for computer hardware shipped to his home.
In early July, the questionable contracts attracted the attention of the
VA's inspector general.
When investigators scheduled an interview with Cadenas for July 12, he
decided to quit July 11, three days early.
Cadenas also rebuffed investigators' questions while cleaning out his
office, the report said.
Later, investigators discovered all contract paperwork in the office was
missing and his government-owned office computer's hard drive had been
Cadenas escaped possible administrative punishment with his resignation,
the report said.
Copyright 2007 Media General.
Subscribe to the InfoSec News RSS Feed