In a case that emphasizes the myriad ways for digital data to be compromised, files containing information on some 26.5 million U.S. veterans were taken from the home of a government employee during a burglary.
The Department of Veterans Affairs announced the breach Monday, but said there was no evidence that any data had been used illegally and said it was likely that whoever stole it may not be aware of the information or how to use it.
Possible ID Theft
All of the potentially affected veterans were notified by The Department in a letter sent immediately after the breach was discovered. The letter, signed by Secretary of Veterans Affairs R. James Nicholson, informs veterans that “information identifiable with you was potentially exposed to others.”
The letter advises veterans to be “extra vigilant” in monitoring bank statements, credit card records and other personal files for any sign of unauthorized activity.
No health records or financial information was included among the data taken over the weekend, according to the agency, but with as many as 26.5 million records compromised, the breach represents a major public relations embarrassment for the agency. Because social security numbers were included in the data, experts said the likelihood of identity theft occurring if the information falls into the wrong hands were very high.
It is also just the latest reminder of how many different ways digital data can be revealed and underscores the human element in data security.
At a news conference Monday, Attorney General Alberto Gonzales said there was no evidence that any of the information had been used for identity theft and added that he advised prosecutors to “exercise zero tolerance” in pursuing charges against anyone suspected of doing so.
The files reportedly include data on veterans discharged from active duty since 1975 and some older veterans who had filed claims or had other interactions with the agency since then. Some data on spouses was also included in the files.
Few details were given on the specifics of the case since it is an ongoing investigation, but the agency acknowledged that a data analyst had taken home data to work on a project. Some reports said the information was on discs, while others said it was stored on a laptop that was swiped during the break-in.
In a note on its Web site, the department said the employee had been placed on administrative leave because removing the data from the office was a violation of policy.
The incident ranks near the top of all data disclosures in terms of sheer size and adds to a laundry list of breaches from consumer credit companies, state agencies and other organizations in recent years. Data has been disclosed or potentially disclosed in a range of ways, from having physical records misplaced to inadvertent Web postings to hackings of supposedly secure databases.
According to the Privacy Rights Clearinghouse, some 80 million personal records have been disclosed since February of 2005, when it began keeping track shortly after consumer credit scoring firm ChoicePoint had some 150,000 records stolen from its database.
The incidents include stolen laptops, compromised passwords, thefts by insiders, lost backup tapes and disclosures by e-mail, noted director Beth Givens.
“The fact that so much private information has been disclosed in so many different ways underscores the need to turn over such data only to trusted sources and for there to be changes in the way data is shared,” Givens said. The widespread use of social security numbers to identify customers is one problem that could be addressed easily by moving toward other unique identifiers, she added.
Ironically, the breach was revealed just days after President Bush issued an executive order creating an ID theft prevention task force whose membership includes the Secretary of Veterans Affairs.
Bush’s order also makes it federal policy to use federal resources where appropriate to deter, prevent and detect ID theft.
That move was seen as falling short by some who want Congress to pass a national database breach notification law, something many states have already done to mandate immediate disclosure of breaches as a way of preventing ID theft.
Any legislation will be too watered down to make a real difference, Todd Davis, CEO of anti-ID theft service LifeLock, told the E-Commerce Times. He added that the continual presence of human error as in cases where backup tapes were lost in transit to storage facilities emphasizes that not all data breaches are created equal.
“Private enterprise is better equipped to solve this problem and will over time,” Davis said. “But I don’t think we’ll ever get to a point where all data is entirely secure. There’s just too many ways for it to get out.”