Tuesday, May 23, 2006

Vast Data Cache About Veterans Is Stolen

Washington


Vast Data Cache About Veterans Is Stolen


By DAVID STOUT and TOM ZELLER Jr.
Published: May 23, 2006

WASHINGTON, May 22 � Personal electronic information on up to 26.5 million military veterans, including their Social Security numbers and birth dates, was stolen from the residence of a Department of Veterans Affairs employee who had taken the data home without authorization, the agency said Monday.

Skip to next paragraph
Multimedia

Graphic: Records at Risk

The department said that there was no evidence any of the information had been used illegally and that whoever stole it, in a burglary of the employee's home this month, might be unaware of its nature or how to use it. The stolen data do not include any health records or financial information, the agency said.

But it was immediately clear from the sheer numbers involved, as well as the tone of the announcement and the steps taken in the aftermath of the theft, that the breach was deeply embarrassing to the agency.

"As a result of this incident, information identifiable with you was potentially exposed to others," Jim Nicholson, the secretary of veterans affairs, wrote in a letter being sent to the veterans who might be affected.

As measured by the number of people potentially affected, the data loss is exceeded only by a breach last June at CardSystems Solutions, a payment processor, in which the accounts of 40 million credit card holders were compromised in a hacking incident.

But in that breach, any exposure could be addressed by simply canceling those accounts. In the latest incident, three crucial keys to unlocking a person's financial life � name, Social Security number and date of birth � may have been set loose. Those cannot be canceled, and a clever thief can use them to begin trying to open new accounts, secure loans, buy property and otherwise wreak havoc on the victim's credit history.

At a news conference on Monday afternoon, Attorney General Alberto R. Gonzales said there was "no reason to believe at this time that the identities of these veterans have been compromised." Mr. Gonzales, who spoke after the first working meeting of an identity theft task force established by President Bush on May 10, added that he had directed prosecutors "to exercise zero tolerance" if cases of identity theft were traced to loss of the data.

The breach follows more than a year of intense debate over the security of private consumer data. That controversy stemmed from the disclosure in February 2005 that thieves had duped the world's largest commercial data broker, ChoicePoint, into providing them information on more than 150,000 consumers.

Since then, consumer groups estimate, records of various types involving some 55 million consumers � credit card and bank account data, Social Security numbers, dates of birth and other information � have been lost, stolen or otherwise made vulnerable. The figure does not include the breach made public on Monday.

In the aftermath of the ChoicePoint debacle, several states have passed tough legislation aimed principally at forcing companies, schools and other handlers of private data to notify consumers when their information has been compromised. Other new laws permit consumers to freeze their credit as a way of foiling would-be thieves, or force new security standards on data handlers.

Several pieces of legislation are also pending in Congress, but so far the interests of the financial services and credit industries, which seek to limit inhibitions on data handling and the penalties for security breaches, have competed with those of consumer advocates. As a result, no consensus has emerged.

In the Veterans Affairs case, Matt Burns, a spokesman for the department, said the data involved veterans who were discharged from 1975 onward, as well as some who were discharged earlier and then filed a claim with the agency.

The case is under investigation by the department's inspector general and the F.B.I. Mr. Burns, noting that the inquiry was continuing, would not say when the theft was discovered.
But a Congressional aide briefed on the matter, granted anonymity because he was not authorized to speak publicly about it, said the information was on disks. Secretary Nicholson, speaking at the same news conference as Attorney General Gonzales, said the worker had taken the data home to work on a department project. Mr. Nicholson described the worker, who has not been identified, as a longtime employee of the agency. He lives in suburban Maryland, a law enforcement official said.

There could be no immediate definitive answer to the most important question: whether those with the stolen data would use the information. But Beth Givens, the director of the Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego, said there was good reason to be concerned.

"There is no telling what kind of path the data is going to take," Ms. Givens said. The combination of names, Social Security numbers and dates of birth "means that 26.5 million people could � could � become victims of identity theft," she said.

The Department of Veterans Affairs acknowledged as much in advising veterans to be "extra vigilant" and to monitor their bank statements, credit card records and the like. Veterans can go to firstgov.gov and www.va.gov/opa for information, or call a toll-free number: 1 (800) 333-4636.

Criticism of the agency began almost as soon as the data breach was disclosed Monday.

"Someone needs to be fired, the perpetrators need to be caught, and the security system at the V.A. needs to be massively overhauled," said Senator John Kerry of Massachusetts, the 2004 Democratic presidential nominee.

Another Democrat, Senator Charles E. Schumer of New York, said, "If the government is going to tell private companies that they have to secure Americans' personal and financial data, then it has to set a much better example itself."

Mr. Schumer introduced a far-reaching computer security bill in 2005, but it failed to gain enough support.

David Stout reported from Washington for this article, and Tom Zeller Jr. from New York.

No comments: