The Department of Veterans Affairs’ Office of Inspector General released a report this week that said tens of thousands of VA officials inappropriately signed up for Yammer, and used the communications tool to get in fights with each other, set up silly chat rooms, and even point out helpful movie reviews to each other.
Even worse, the inspector general said Yammer was never formally approved as a communications tool, and that it allowed some VA officials to share personal information on a non-secure platform.
The IG summarized its report by saying the use of a “VA Yammer” account has led to numerous wasted hours of work for officials at an agency that has been under near-constant criticism for failing to ensure veterans have access to health care.
“VA Yammer was not only an unapproved web-based collaboration tool, it was a misuse of VA time and resources when VA employees used it, due to it not being properly approved,” he said. “Further, the frequent use of Yammer, to include the instant messaging tool, could cause congestion, delay, or disruption of service and degrade the performance of VA’s network.”
“Moreover, we found several posts that contained VA sensitive data and numerous posts in which users posted or uploaded unprofessional, non-VA related personal, and/or disparaging content that showed a broad actual and
potential misuse of time and resources by VA Yammer users,” it said.
The report said that while the VA has a procedure for adopting new technologies and social media, officials started using Yammer in 2012 without any formal approval. Soon after, there were more than 25,000 active users of Yammer at the VA, and another 25,000 or so who had signed up but were not yet active.
But no one was managing the system, which led to several examples in which employees were confused about how they were accidentally spamming other workers to join.
Many others used Yammer as a fun social site, leading to wasted time at work. The IG report said some users posed pictures of their T-shirts, while another posted a video link to the 1986 movie “Ferris Bueller’s Day Off.”
Several other officials set up and joined chat rooms, including rooms called GEEK Jokes, Swap Meet, and one called “Fifty Shades of Craig,” which the report described as a group that included “posts containing images of a man’s head superimposed on various nonsensical non-VA images.”
Sometimes, these posts led to internal fights between VA employees.
Aside from wasting time, the IG also warned that some posts threatened the VA’s IT system.
“[W]e found several posts that contained VA sensitive data and numerous posts in which users posted or uploaded unprofessional, non-VA related personal, and/or disparaging content that showed a broad actual and potential misuse of time and resources by VA Yammer users,” the report said.
In 2013, one VA official used Yammer to post what he thought were directions for overriding the VA’s information technology security.
“Figured out how to copy the [Personal Identity Verification (PIV) Public Key Infrastructure (PKI)] Certificate to windows if a card is lost or not working[;] all the email encrypted with the certificate can still be accessed without the card,” that post said.
In response to another post, one user wrote, “Please DELETE the .pdf with the IP address IMMEDIATELY! IP addresses are VA protected information and may NEVER be posted in a public place — even if only VA public. If necessary to put in an email the email should be encrypted. This is a security violation. Thank you!”
The report recommended that the VA formally approve or disapprove Yammer, determine whether any disciplinary actions need to be taken, and ensure VA workers are told which social media sites have been approved for use.
