The alleged hacking of a former top aide at the Department of Veterans Affairs (VA) was unrelated to the travel scandal she was embroiled in and was limited to “relatively unsophisticated ‘spoofing,’ ” according to a government watchdog.
At issue is the VA inspector general’s allegation that Vivieca Wright Simpson, who has since resigned as chief of staff, doctored an email in order to gain approval to use taxpayer dollars to pay for VA Secretary David Shulkin ’s wife to accompany him on a trip to Europe.
Shulkin has said Wright Simpson showed him evidence backing up her denial that she sent the email in question and has suggested the email was sent by hackers looking to undermine him.
In a letter released Wednesday by the top Democrat on the House Veterans’ Affairs Committee, the VA’s Office of Inspector General (OIG) says it secured Wright Simpson’s VA-issued computers and mobile devices in consultation with the FBI and Department of Justice (DOJ), but that it does not believe a forensic analysis is warranted.
“In the nearly two weeks since the release of our report, the nature of the alleged compromise of Ms. Wright Simpson’s VA email account has become clearer,” Inspector General Michael Missal wrote in the letter. “The OIG now believes that the allegations of ‘hacking’ are limited to unrelated and relatively unsophisticated ‘spoofing’ of Ms. Wright Simpson’s identity through messages sent from an external, non-VA email address.”
The evidence Wright Simpson showed Shulkin was an email sent Feb. 14 to a VA finance employee seeking to obtain payment on a purchase order, Missal said. The email was marked “external” and was sent from a comcast.net email address using “Vivieca Wright Simpson” as the display name.
“Given the ‘external’ markings and the comcast.net email domain, it is obvious from the face of the ‘Vivieca Wright Simpson’ email that it did not originate from the VA email system,” Missal wrote.
The VA’s information technology (IT) staff also told the inspector general that it has no evidence Wright Simpson’s actual VA email account was compromised, Missal said.
IT staffers have, however, identified a phishing attack where a VA employee is impersonated in order to get another employee to reveal private information or to get a fraudulent payment.
“VA IT staff appear to be keeping VA employees informed and advised of actions they should take in response to such efforts,” Missal wrote. “We will continue to work with the department to monitor the alleged phishing/spoofing and stand ready to investigate all credible allegations of email and computer hacking or other violations at VA if additional evidence is developed.”
Shulkin told the inspector general he “did not mean to imply” to reporters that Wright Simpson’s VA account was hacked.
“Secretary Shulkin informed us that, in speaking with reporters about Ms. Wright Simpson’s allegations, he did not mean to imply that her VA email had been ‘hacked,’ ” Missal wrote. “Secretary Shulkin said that he was not aware of any allegations relating to Ms. Wright Simpson’s email beyond the information she showed him on the morning of February 14 — that is, the ‘comcast.net’ email described above.”
Rep. Tim Walz (D-Minn.), ranking member of the House Veterans’ Affairs Committee, said in a statement Wednesday he appreciates the quick response from the inspector general, the FBI and the DOJ.
“I firmly believe allegations of potential criminal activity carried out on VA computers and networks ought to be taken seriously, and I offer my sincere gratitude and appreciation to Inspector General Missal, the FBI and DOJ for looking into the matter, quickly responding to my request, and determining that VA’s email system had not been compromised,” he said. “Accountability at VA will always be paramount and I expect VA will take additional actions if appropriate after VA completes its review of the OIG’s report.”