, SecurityFocus 2006-05-22
The U.S. government warned on Monday that a database containing sensitive information about veterans and their families had been stolen, after an employee violated policy and brought the data home.
The database contained the names, social security numbers and dates of birth of as many as 26.5 million veterans and their families, according to the U.S. Department of Veterans Affairs, which replaced most of its home page on Monday with a warning about the leak. The agency discovered the violation of policy after the employee's home was burglarized and has put the worker on administrative leave pending an investigation.
"Authorities believe it is unlikely the perpetrators targeted the items because of any knowledge of the data contents," the federal agency said in a statement published Monday. "It is possible that they remain unaware of the information which they possess or of how to make use of it."
The FBI and the Veterans Affairs Inspector General have both launched an investigation into the theft. The stolen data did not include veterans' medical records or financial information, the federal agency said. The government advised veterans to check financial statements and notify Veterans Affairs of any suspicious activity.
The data theft stunned representatives of the veterans' community.
"To me, it defies credulity that one individual would have all this information and, by however he did it, wound up losing it to a burglar," said Bernard Edelman, deputy director of government affairs for Vietnam Veterans of America.
Without better information about the theft and the likelihood the data will be misused, the VVA is at a loss as to what to tell its membership, Edelman said.
"What can we advise them to do? Be vigilant?" he said. "According to the secretary of the VA, there is no evidence of the information being used for identity theft. But you may want to throw the word 'yet' after that."
The data leak is potentially the largest loss of social security numbers to date. Last year, financial giant Mastercard International warned that a third-party credit-card processors, CardSystems Solutions, had lost as many as 40 million accounts after a data thief had used a security hole to tap into the processor's system. In early 2005, data broker Choicepoint warned that criminals posing as businesses had managed to access 145,000 detailed records on American consumers. The two leaks joined a slew of other to make 2005 a bad year for privacy.
This is not the first time that the Department of Veterans Affairs has failed to make the grade in computer security. In the annual evaluation required of all federal agencies by the Federal Information Security Management Act of 2002, the VA failed to meet the standards set by the law, receiving an 'F' for four of the five years that the audit was conducted.
Government agencies, as well as corporate IT department, need to start encrypting data to protect sensitive information from illicit access, said Paul Stephens, a policy analyst with the Privacy Rights Clearinghouse.
"If the data had been encrypted then there wouldn't have been a problem," Stephens said.
The magnitude of the potential loss undermines the future value of the social security number as a unique identifier for U.S. citizens, a purpose for which it was never intended, said Avivah Litan, vice president of identity research at market analyst firm Gartner.
"If one out of every seven or eight social security numbers has been compromised, then no one should be relying on it any longer as an identifier," Litan said. "I think the private sector will have to come up, and has already started coming up, with their own solutions."
Litan stressed that it is unlikely that, if the theft was truly random, that the thief would know what was on the computer and would make use of it.
"There is likely less than a one percent chance that this will be used for identity theft," she said.
UPDATE: The article was updated on Monday at 3:40 p.m. PST with information on the Department of Veterans Affairs' performance on the annual audit required by the Federal Information Security Management Act (FISMA) of 2002.