Perhaps they should have ordered their lunch to go.
Maryland police arrested two teenagers Friday morning at a suburban Maryland
McDonald’s and charged them with the May theft of a
Veterans Administration’s (VA) laptop that resulted in the largest data
breach in federal government history.
According to the VA, none of the data was
used for identity theft purposes.
Jesus Alex Pineda and Christian Brian Montano, both 19, are charged with
first-degree burglary and theft over $500. Montano is additionally charged
with conspiracy to commit first-degree burglary and conspiracy to commit
theft over $500.
Charges are also pending against a third male suspect who is currently
jailed for an unrelated incident.
Montgomery County Police spokesperson Lucille Baur said a bail hearing will
be held Monday.
The teenagers obtained the laptop after a burglary of a VA employee’s home.
The employee was authorized to take the laptop home, but the VA was unaware
at the time of the large amounts of data contained on a portable hard drive.
Montgomery County police characterized the burglary as a random theft,
saying Pineda, Montano and the unidentified juvenile did not specifically
target the VA employee’s home and took the laptop and hard drive as a part
of a random sack of the home.
In late May, the VA went public with the theft, which is the second-largest
data breach on record and the largest Social Security numbers breach ever.
The alleged thieves did not know that the hard drive contained VA
information until the case and a resulting $50,000 reward was publicized.
On June 28, United States Park Police officers received information that
resulted in the recovery of the stolen laptop and hard drive. On August 4,
detectives and agents received new information, ultimately leading to the
arrest of Pineda and Montano.
“The cooperative efforts and tenacity paid off today with the positive
identifications of the suspects and their arrests,” Montgomery County Police
Chief J. Thomas Manger said in a statement.
The laptop contained no VA data, but the external hard drive included large
record extracts containing records on approximately 26 million living
veterans. The extracts contained unencrypted Social Security numbers, full
names, birth dates and service numbers.
A subsequent VA report into the security practices that led to the breach
concluded the employee, who is currently on administrative leave, exercised
“extremely poor judgment” when he decided to take the personal information
out of the office without encrypting or password protecting the data.
The investigation also concluded the data had not been breached by the
burglars.
“Based on all the facts gathered thus far during the investigation as well
as the results of forensics examinations, the FBI and the Office of the
Inspector General are highly confident that the files … were not
compromised after the burglary,” the report states.
The report also concludes the VA did not respond in a timely or appropriate
manner when the employee reported the theft of the laptop and external hard
drive.
Secretary of Veterans Affairs Jim Nicholson told Congress he was not
informed of the theft until two weeks after the fact.
The VA breach was the start of a series of startling data breaches disclosed
by the government over the last two months.
In late June, the Navy announced
approximately 28,000 sailors and their families were exposed to potential
identity theft when a civilian Web site posted five spreadsheets with the
personal data of military personnel.
The information disclosed the names, birth dates and Social Security numbers
of the sailors and their dependents.
The Department of Agriculture (USDA) previously reported hackers may have
accessed the personal information of as many as 26,000 current and former
USDA employees.
In mid-June, the Federal Trade Commission (FTC) said the laptops of two
agency attorneys containing the personal information of more than 100 people
were stolen from a locked vehicle.
