RealTime IT News

Teens Charged in VA Laptop Theft

Perhaps they should have ordered their lunch to go.

Maryland police arrested two teenagers Friday morning at a suburban Maryland McDonald's and charged them with the May theft of a Veterans Administration's (VA) laptop that resulted in the largest data breach in federal government history.

According to the VA, none of the data was used for identity theft purposes.

Jesus Alex Pineda and Christian Brian Montano, both 19, are charged with first-degree burglary and theft over $500. Montano is additionally charged with conspiracy to commit first-degree burglary and conspiracy to commit theft over $500.

Charges are also pending against a third male suspect who is currently jailed for an unrelated incident.

Montgomery County Police spokesperson Lucille Baur said a bail hearing will be held Monday.

The teenagers obtained the laptop after a burglary of a VA employee's home. The employee was authorized to take the laptop home, but the VA was unaware at the time of the large amounts of data contained on a portable hard drive.

Montgomery County police characterized the burglary as a random theft, saying Pineda, Montano and the unidentified juvenile did not specifically target the VA employee's home and took the laptop and hard drive as a part of a random sack of the home.

In late May, the VA went public with the theft, which is the second-largest data breach on record and the largest Social Security numbers breach ever.

The alleged thieves did not know that the hard drive contained VA information until the case and a resulting $50,000 reward was publicized.

On June 28, United States Park Police officers received information that resulted in the recovery of the stolen laptop and hard drive. On August 4, detectives and agents received new information, ultimately leading to the arrest of Pineda and Montano.

"The cooperative efforts and tenacity paid off today with the positive identifications of the suspects and their arrests," Montgomery County Police Chief J. Thomas Manger said in a statement.

The laptop contained no VA data, but the external hard drive included large record extracts containing records on approximately 26 million living veterans. The extracts contained unencrypted Social Security numbers, full names, birth dates and service numbers.

A subsequent VA report into the security practices that led to the breach concluded the employee, who is currently on administrative leave, exercised "extremely poor judgment" when he decided to take the personal information out of the office without encrypting or password protecting the data.

The investigation also concluded the data had not been breached by the burglars.

"Based on all the facts gathered thus far during the investigation as well as the results of forensics examinations, the FBI and the Office of the Inspector General are highly confident that the files ... were not compromised after the burglary," the report states.

The report also concludes the VA did not respond in a timely or appropriate manner when the employee reported the theft of the laptop and external hard drive.

Secretary of Veterans Affairs Jim Nicholson told Congress he was not informed of the theft until two weeks after the fact.

The VA breach was the start of a series of startling data breaches disclosed by the government over the last two months.

In late June, the Navy announced approximately 28,000 sailors and their families were exposed to potential identity theft when a civilian Web site posted five spreadsheets with the personal data of military personnel.

The information disclosed the names, birth dates and Social Security numbers of the sailors and their dependents.

The Department of Agriculture (USDA) previously reported hackers may have accessed the personal information of as many as 26,000 current and former USDA employees.

In mid-June, the Federal Trade Commission (FTC) said the laptops of two agency attorneys containing the personal information of more than 100 people were stolen from a locked vehicle.