Somewhere out there is a thief with the names and Social Security numbers of
every veteran discharged after 1975.
In the second-largest data breach on record — and the biggest Social
Security numbers breach ever — the Department of Veterans Affairs (VA)
disclosed Monday approximately 26.5 million veterans are at risk of identity
theft.
According to the VA, an employee violated agency policy and took a laptop with
the information on it home, where it was stolen in a burglary earlier this
month.
The question looming over Washington Tuesday is does the thief know what he
or she has?
“We just don’t know. [The thief] is either very unsophisticated or getting
more sophisticated by the hour as news reports keep coming out,” said Liz
Gasster, general counsel for the Cyber Security Industry Alliance (CSIA).
Andy Serwin, a privacy attorney and partner at Foley & Lardner in San Diego,
said there is “not a high probability” that the burglar knew what was on the
laptop, but added, “There is an equal likelihood someone will figure out
what’s on that computer.”
Various law enforcement agencies, including the FBI and the VA’s Inspector
General’s Office, have launched investigations into the theft.
Ari Schwartz, deputy director of the Center for Technology and Democracy,
speculated that since the FBI is now on the case, the burglar “is less
likely to the sell the computer.”
The VA said on the federal government’s FirstGov site, “At this point there
is no evidence that any missing data has been used illegally. If the data
has been misused or otherwise used to commit fraud or identity theft crimes,
it is likely that veterans may notice suspicious activity in the month of
May.
Nevertheless, the VA is urging all veterans to be “extra vigilant and to
carefully monitor” bank and credit card statements. The VA said it would
send out notification letters to affected veterans “to every extent
possible.”
The VA has also set up a manned call center that veterans may contact in
addition to posting on its site and the FirstGov site extensive information
about how veterans can protect themselves against identity theft.
Counting the VA’s Monday disclosure, the Privacy Rights Clearinghouse
estimates that since February of last year, more than 80 million Americans
have been exposed to potential identity theft through 170 data breaches.
The largest breach on record is by credit card processor CardSystems, which
exposed personal information on more than 40 million credit cards after
hackers cracked into the firm’s computer system.
“Most people do not realize how many databases or devices store their
personal information,” Bill Conner, president and CEO of Entrust, said in
e-mail comments to internetnews.com.
“We’re never going to stop
laptops like this one from being lost or stolen, and it is the No. 1 way to be compromised.”
Conner added, “Hopefully, other government agencies and private companies
will pay attention to this egregious breach and take action to protect their
data from suffering the same fate.”
The VA’s disclosure also prompted the U.S. House of Representatives to
expedite its own data disclosure bills.
Wednesday morning, the House Commerce Committee plans a vote on the Financial
Data Protection Act of 2006 while the House Judiciary has scheduled a
vote on the Cyber Security Enhancement and Consumer Data Protection Act.
The bill before the House Commerce Committee does not require mandatory
disclosure to consumers after a data breach. Instead, the legislation
requires a company suffering a breach to conduct an investigation to
determine if notification is necessary.
The House Judiciary bill increases criminal penalties for data theft and
notification to law enforcement officials in the event of a “major security
breach” of more than 10,000 people.
Two Senate committees have already passed data breach legislation.
The Identity Theft Protection Act requires data brokers, government agencies
and educational institutions to disclose security breaches to consumers
within 45 days if there is a “reasonable risk” of identity theft involved in
the breach.
The bill also outlaws the selling, purchasing or displaying of Social
Security numbers.
“We would encourage Congress to act quickly,” the CSIA’s Gasster said, and warned that neither technology not legislation the complete
answer to data security.
“We need to look at security in a more holistic way,” she said. “It’s not
just notification. Companies need to have reasonable security practices in
place.”