Friday, June 02, 2006
Data on 26.5 Veterans goes missing
May 22, 2006 (Reuters) -- Personal data on 26.5 million U.S. veterans was stolen from the residence of a U.S. Department of Veterans Affairs (VA) employee who was not authorized to take the material home, exposing them to possible identity theft, the department announced today.
The data included names, Social Security numbers and dates of birth for the military veterans and some spouses, the department said. There has been no indication that the data -- which is related to everyone discharged from the military since 1975 -- has been used for identity theft.
"We are going to send out an individual notification letter to every veteran to the extent possible" warning them of the risk of identity theft, said Veterans Affairs Secretary Jim Nicholson.
Nicholson said the theft of the data from the employee's home took place this month, but declined to identify the worker involved, the location of the burglary or how long the employee had the data at his home. The FBI said the theft occurred in the Maryland area and is being looked at by the FBI's Baltimore field office.
Officials said equipment containing the data was stolen, but Nicholson would not say whether a government laptop computer was involved.
"The employee has been placed on administrative leave pending the outcome of the investigation. We have a full-scale investigation going on in this," Nicholson told reporters by telephone. "We have a system of policies and controls that are in place and operating, and this person violated those."
He said the FBI, local law enforcement authorities and the VA's inspector general's office were investigating.
"They believe that this was a random burglary and not targeted at this data," Nicholson added, saying there had been a series of burglaries in the community where the employee lived. "It's highly probable that they do not know what they have."
Nicholson advised all military veterans to monitor their credit card and banking transactions and be alert for anything that might indicate identity theft.
The government is setting up a toll-free number, 1-800-333-4636, for veterans to call if they notice anything suspicious, as well as putting information on a government Web site www.firstgov.gov.
Nicholson identified the employee as a male career department worker, not a political appointee or senior official, who had legitimate access to the data at work as part of a project.
Nicholson said the employee "took home a considerable amount of electronic data from the VA, which he was not authorized to do. It was in violation of our rules and regulations and policies."
An FBI spokesman said that the matter was referred to the agency last week and it is investigating. The FBI was asked to get involved because it related to the theft of U.S. government property.
Nicholson said there is no indication that the employee intended to do anything wrong with the data beyond improperly taking it home.
The theft is another example of the continuing failure by government agencies to set the bar around cybersecurity, said Alan Paller, director of research at the SANS Institute in Bethesda, Md.
"The federal government should lead by example and they haven't been [doing that] in cybersecurity," Paller said. "They should have made it so easy and inexpensive for employees to encrypt data on their PC and have had such a high penalty for not doing it that everyone would have [complied]," he said.
The government also needs to use its enormous buying power to ensure that vendors build inexpensive and easy-to-use encryption capabilities into all PCs and client devices, he said. "The government buys $65 billion of IT every year," Paller said.
The government should use that spending leverage to push vendors to make changes that bolster security for all, he said.
According to Nicholson, it is possible that some people whose data was stolen are dead and that data on some veterans discharged before 1975 was included. No medical records and no financial information was compromised, Nicholson said.
But Nicholson said the data included information on some veterans' physical disabilities.
Identity theft, or obtaining the personal or financial information of another person in order to assume that person's name to make transactions, has mushroomed in recent years with the growth of the Internet and electronic business.
Computerworld's Jaikumar Vijayan and Reuters' Deborah Charles contributed to this report.
The data included names, Social Security numbers and dates of birth for the military veterans and some spouses, the department said. There has been no indication that the data -- which is related to everyone discharged from the military since 1975 -- has been used for identity theft.
"We are going to send out an individual notification letter to every veteran to the extent possible" warning them of the risk of identity theft, said Veterans Affairs Secretary Jim Nicholson.
Nicholson said the theft of the data from the employee's home took place this month, but declined to identify the worker involved, the location of the burglary or how long the employee had the data at his home. The FBI said the theft occurred in the Maryland area and is being looked at by the FBI's Baltimore field office.
Officials said equipment containing the data was stolen, but Nicholson would not say whether a government laptop computer was involved.
"The employee has been placed on administrative leave pending the outcome of the investigation. We have a full-scale investigation going on in this," Nicholson told reporters by telephone. "We have a system of policies and controls that are in place and operating, and this person violated those."
He said the FBI, local law enforcement authorities and the VA's inspector general's office were investigating.
"They believe that this was a random burglary and not targeted at this data," Nicholson added, saying there had been a series of burglaries in the community where the employee lived. "It's highly probable that they do not know what they have."
Nicholson advised all military veterans to monitor their credit card and banking transactions and be alert for anything that might indicate identity theft.
The government is setting up a toll-free number, 1-800-333-4636, for veterans to call if they notice anything suspicious, as well as putting information on a government Web site www.firstgov.gov.
Nicholson identified the employee as a male career department worker, not a political appointee or senior official, who had legitimate access to the data at work as part of a project.
Nicholson said the employee "took home a considerable amount of electronic data from the VA, which he was not authorized to do. It was in violation of our rules and regulations and policies."
An FBI spokesman said that the matter was referred to the agency last week and it is investigating. The FBI was asked to get involved because it related to the theft of U.S. government property.
Nicholson said there is no indication that the employee intended to do anything wrong with the data beyond improperly taking it home.
The theft is another example of the continuing failure by government agencies to set the bar around cybersecurity, said Alan Paller, director of research at the SANS Institute in Bethesda, Md.
"The federal government should lead by example and they haven't been [doing that] in cybersecurity," Paller said. "They should have made it so easy and inexpensive for employees to encrypt data on their PC and have had such a high penalty for not doing it that everyone would have [complied]," he said.
The government also needs to use its enormous buying power to ensure that vendors build inexpensive and easy-to-use encryption capabilities into all PCs and client devices, he said. "The government buys $65 billion of IT every year," Paller said.
The government should use that spending leverage to push vendors to make changes that bolster security for all, he said.
According to Nicholson, it is possible that some people whose data was stolen are dead and that data on some veterans discharged before 1975 was included. No medical records and no financial information was compromised, Nicholson said.
But Nicholson said the data included information on some veterans' physical disabilities.
Identity theft, or obtaining the personal or financial information of another person in order to assume that person's name to make transactions, has mushroomed in recent years with the growth of the Internet and electronic business.
Computerworld's Jaikumar Vijayan and Reuters' Deborah Charles contributed to this report.
Labels: US Dept. of Vetrans Affairs
# posted by raveneye @ 7:31 AM 
