Archive/Encryption Failure in Portable Device Storage: Technical-Operational Analysis of the Veterans Affairs Data Breach
Encryption Failure in Portable Device Storage: Technical-Operational Analysis of the Veterans Affairs Data Breach
Pedro A. R. S. Costa, Antonio Goncalves, Mario Monteiro Marques
7. Juli 2026
en

Abstract

This case study examines an encryption failure incident involving the exposure of sensitive personal data within a governmental information system environment. The analysis is based on the well-documented data breach that occurred within the U.S. Department of Veterans Affairs, in which a government employee stored a large dataset containing veterans’ personal information on a portable laptop device that lacked adequate encryption protection. Following the theft of the device from the employee’s residence, the personal records of approximately 26.5 million individuals were placed at risk of unauthorized exposure. Rather than interpreting the incident as an isolated technical failure, this study analyzes it through the Swiss cheese model, proposed by James Reason, and formalizes them as Portable Device Data Exposure Chain (PDDEC), showing that the breach resulted from the alignment of weaknesses across multiple layers of defense. The model is compared with two post-2010 endpoint-loss incidents to provide a limited historical back-test and is positioned against data-lifecycle, defense-in-depth, and Zero Trust approaches. The analysis shows that full-disk encryption is now a baseline control rather than a sufficient or novel solution. Hardware-backed key protection, verified boot, endpoint compliance, data-loss prevention, continuous monitoring, and controls for data in use are also required because encryption can be weakened by poor recovery-key governance, authenticated malware, sleep-state memory exposure, cold-boot attacks, and direct-memory-access attacks. The study contributes a reproducible control-point model for analyzing how sensitive data becomes exposed when it is moved beyond centrally managed environments, while explicitly limiting its generalizability to analytically comparable endpoint-loss scenarios.

IPC Classification

G06B60

Keywords

encryptionfailureportabledevicestoragetechnical-operationalanalysisveteransaffairsdatabreachjournalcybersecurityprivacycaseexaminesincidentinvolvingexposuresensitivepersonalwithingovernmentalinformation
Diese Veröffentlichung zitieren

€ 4.00