RealTime IT News

VA Data Breach Stirs Washington

Somewhere out there is a thief with the names and Social Security numbers of every veteran discharged after 1975.

In the second-largest data breach on record -- and the biggest Social Security numbers breach ever -- the Department of Veterans Affairs (VA) disclosed Monday approximately 26.5 million veterans are at risk of identity theft.

According to the VA, an employee violated agency policy and took a laptop with the information on it home, where it was stolen in a burglary earlier this month.

The question looming over Washington Tuesday is does the thief know what he or she has?

"We just don't know. [The thief] is either very unsophisticated or getting more sophisticated by the hour as news reports keep coming out," said Liz Gasster, general counsel for the Cyber Security Industry Alliance (CSIA).

Andy Serwin, a privacy attorney and partner at Foley & Lardner in San Diego, said there is "not a high probability" that the burglar knew what was on the laptop, but added, "There is an equal likelihood someone will figure out what's on that computer."

Various law enforcement agencies, including the FBI and the VA's Inspector General's Office, have launched investigations into the theft.

Ari Schwartz, deputy director of the Center for Technology and Democracy, speculated that since the FBI is now on the case, the burglar "is less likely to the sell the computer."

The VA said on the federal government's FirstGov site, "At this point there is no evidence that any missing data has been used illegally. If the data has been misused or otherwise used to commit fraud or identity theft crimes, it is likely that veterans may notice suspicious activity in the month of May.

Nevertheless, the VA is urging all veterans to be "extra vigilant and to carefully monitor" bank and credit card statements. The VA said it would send out notification letters to affected veterans "to every extent possible."

The VA has also set up a manned call center that veterans may contact in addition to posting on its site and the FirstGov site extensive information about how veterans can protect themselves against identity theft.

Counting the VA's Monday disclosure, the Privacy Rights Clearinghouse estimates that since February of last year, more than 80 million Americans have been exposed to potential identity theft through 170 data breaches.

The largest breach on record is by credit card processor CardSystems, which exposed personal information on more than 40 million credit cards after hackers cracked into the firm's computer system.

"Most people do not realize how many databases or devices store their personal information," Bill Conner, president and CEO of Entrust, said in e-mail comments to internetnews.com.

"We're never going to stop laptops like this one from being lost or stolen, and it is the No. 1 way to be compromised."

Conner added, "Hopefully, other government agencies and private companies will pay attention to this egregious breach and take action to protect their data from suffering the same fate."

The VA's disclosure also prompted the U.S. House of Representatives to expedite its own data disclosure bills.

Wednesday morning, the House Commerce Committee plans a vote on the Financial Data Protection Act of 2006 while the House Judiciary has scheduled a vote on the Cyber Security Enhancement and Consumer Data Protection Act.

The bill before the House Commerce Committee does not require mandatory disclosure to consumers after a data breach. Instead, the legislation requires a company suffering a breach to conduct an investigation to determine if notification is necessary.

The House Judiciary bill increases criminal penalties for data theft and notification to law enforcement officials in the event of a "major security breach" of more than 10,000 people.

Two Senate committees have already passed data breach legislation.

The Identity Theft Protection Act requires data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a "reasonable risk" of identity theft involved in the breach.

The bill also outlaws the selling, purchasing or displaying of Social Security numbers.

"We would encourage Congress to act quickly," the CSIA's Gasster said, and warned that neither technology not legislation the complete answer to data security.

"We need to look at security in a more holistic way," she said. "It's not just notification. Companies need to have reasonable security practices in place."