RealTime IT News

Report Reveals VA Breach Specifics

Veterans can breathe a little easier over the massive May data theft at the Veterans Administration (VA).

The FBI and the VA's Office of the Inspector General (OIG) do not think the data on a laptop and an external hard drive stolen from a VA employee's home has been used for identity theft purposes, according to a VA report issued Tuesday.

The laptop contained no VA data, but the external hard drive included large record extracts containing records on approximately 26 million living veterans. The extracts contained Social Security numbers, full names, birth dates and service numbers.

The FBI recovered the laptop and hard drive late last month.

"Based on all the facts gathered thus far during the investigation as well as the results of forensics examinations, the FBI and the Office of the Inspector General are highly confident that the files ... were not compromised after the burglary," the report states.

The report concludes that the employee was authorized to take the laptop and hard drive home, but he exercised "extremely poor judgment" when he decided to take the personal information out of the office without encrypting or password protecting the data.

The employee told the FBI and the OIG that the data he took home was part of a "self-initiated" study.

"While the employee had authorization to access and use large VA databases containing veterans' personal identifiers ... his supervisors and managers were not aware he was working on the project," the report states.

Had they been aware of the employee's project, the report claims, the employee would not have received permission to take the data home.

The report also concludes the VA did not respond in a timely or appropriate manner when the employee reported the theft of the laptop and external hard drive. Secretary of Veterans Affairs Jim Nicholson told Congress he was not informed of the theft until two weeks after the fact.

"[The report] by the Veterans Affairs Inspector General reaffirms our initial concerns that the Department was slow to react to the loss of sensitive personal data," Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, said in a statement.

Davis added, "The VA was fortunate -- the police eventually recovered its stolen data. Not all agencies are so lucky. And we can't go forward hoping for the same good luck in the future.

"The federal government must become a better steward of sensitive personal information."

Davis sent letters this week to the heads of all Cabinet agencies, as well as the Office of Personnel Management and the Social Security Administration, seeking detailed information on any "loss or compromise of sensitive personal information held by the federal government" since Jan. 1, 2003.

Davis requested the agencies respond to his letter by July 24.

The VA breach ignited a series of embarrassing data leaks by the government.

Last month, the Navy said approximately 28,000 sailors and their families were exposed to potential identity theft when a civilian Web site inadvertently posted data with the personal information of the Navy personnel.

Also in June, the Department of Agriculture reported hackers possibly accessed the personal information of as many as 26,000 current and former USDA employees.