To those that may have served....
May 22, 2006, 10:33PM
Data stolen on millions of vets
No evidence yet of identity theft, but feds send out warning
By DAVID STOUT and TOM ZELLER JR.
New York Times
WASHINGTON - Personal electronic data on up to 26.5 million veterans, including their Social Security numbers and birth dates, was stolen from the home of a Department of Veterans Affairs employee who had taken the information without authorization, the agency said on Monday.
The department said that there is no evidence any data has been used illegally, and that whoever stole it during a burglary of the employee's home may be unaware of the nature of the information or how to use it. The stolen data does not include any health records or financial information, the agency said.
But it was immediately clear from the sheer numbers involved, as well as the tone of the department's announcement and the steps it has taken since the theft was uncovered, that the information breach is deeply embarrassing to the agency and will be very costly.
"As a result of this incident, information identifiable with you was potentially exposed to others," R. James Nicholson, the secretary of veterans affairs, wrote in a letter being sent to the veterans who may be affected.
On Monday, Attorney General Alberto Gonzales said there was "no reason to believe at this time that the identities of these veterans have been compromised." Gonzales, who spoke after the first meeting of an identity-theft task force established by President Bush on May 10, added that he had directed prosecutors "to exercise zero tolerance" if actual cases of identity theft are traced to loss of the data.
Matt Burns, a Department of Veterans Affairs spokesman, said the data involves veterans who were discharged from 1975 onward and some veterans discharged earlier who had filed a claim with the department.
Burns would not comment on the motive of the employee who took the information home, and what form it was in.
Nicholson described the worker, who has not been identified, as a data analyst.
Congressional sources said that he was a mid-level career employee who lives in Maryland, and that the data was on discs that he planned to use to work on a department project.
Nicholson told CNN that investigators did not think the theft was "a target burglary," adding: "There's a pattern of these kinds of burglaries in this particular neighborhood."
There was no immediate, answer to the most important question: How could a computer-savvy criminal use the information? But Beth Givens, the director of Privacy Rights Clearinghouse, a nonprofit consumer-advocacy group in San Diego, said there was reason to be concerned.
"There is no telling what kind of path the data is going to take," she said. The combination of names, Social Security numbers, and dates of birth "means that 26.5 million people could — could — become victims of identity theft," she said.
The Department of Veterans Affairs acknowledged as much as it advised veterans to be "extra vigilant" and to monitor their bank statements, credit card records, and the like.
The stolen information includes the names of some veterans' spouses, as well as the disability ratings of some veterans.
Givens said it is too early to tell how damaging the lapse involving veterans' records will be. But she said millions of veterans and their families will have to monitor their financial records "from here on, to the indefinite future."
Nicholson said the FBI and his department's inspector general's office have begun investigations of the affair. The department is reviewing its procedures for handling personal data, he said.
The breach comes after more than a year of intense debate over the security of private consumer data, kicked off when it was revealed in February 2005, that thieves had duped the world's largest commercial data broker, Choicepoint, into providing them with information on more than 150,000 consumers.
Since then, consumer groups estimate that some 55 million consumer records of various types, including credit card and bank accounts, Social Security numbers, dates of birth, and other information, have been either lost, stolen, or otherwise made vulnerable.
Monday's breach would put the total around 80 million.
Several states passed tough new legislation in the aftermath of the Choicepoint debacle — principally aimed at forcing companies, schools, and other handlers of private data to notify consumers when their information has been compromised. Other laws have been aimed at permitting consumers to freeze their credit to foil would-be thieves, and forcing new security standards on data handlers.
Several pieces of federal legislation are also pending in Congress, but thus far, the interests of the financial services and credit industries — which seek to limit inhibitions on data handling and the penalties for security breaches, have competed with those of consumer advocates, and no consensus on a bill has emerged.