Washington – As many as 26.5 million veterans were placed at risk of identity theft when intruders stole an electronic data file this month containing their names, birth dates and Social Security numbers from the home of a Department of Veterans Affairs employee, VA Secretary Jim Nicholson said Monday.
The burglary occurred May 3 in Wheaton, Md., according to a source with knowledge of the incident who did not want to be identified because the matter is under investigation.
A career data analyst, who was not authorized to take the information home, has been put on administrative leave pending the outcome of investigations by the FBI, local police and the inspector general of the VA, Nicholson said. He would not identify the employee by name or title.
“They believe this was a random burglary and not targeted at this data,” Nicholson said. “There have been a series of burglaries in that community. … There is no indication at all that any use is being made of this data or even that they know that they have it.”
Nicholson said affected veterans include anyone discharged since 1975 and some of their spouses, as well as some veterans discharged before that who submitted a claim for VA benefits.
The theft represents the biggest unauthorized disclosure ever of personal Social Security data, and could make affected veterans vulnerable to credit card fraud if the burglars realize the value of their haul, one expert said.
“In terms of Social Security numbers, it’s the biggest breach,” said Evan Hendricks, publisher of Privacy Times newsletter and author of the book Credit Scores & Credit Reports. “As long as you’ve got that exact Social, most of the time the credit bureaus will disclose your credit report, and that enables the thief to get credit.”
For years, the VA inspector general has criticized the department for lax information security practices, chiefly concerning the ease with which computer hackers might penetrate VA systems.
“VA has not been able to effectively address its significant information security vulnerabilities and reverse the impact of its historically decentralized management approach,” acting inspector general Jon Wooditch wrote in a Nov. 2005 report.
Democrats on the House Committee on Veterans Affairs issued a statement calling on the VA to restrict access to sensitive information to essential personnel, and to enforce those restrictions.
“It is a mystifying and gravely serious concern that a VA data analyst would be permitted to just walk out the VA door with such information,” the statement said.
Sen. Larry Craig, R-Idaho, chairman of the Senate Committee on Veterans Affairs, said his panel would hold hearings on information security at VA.
According to a police report, someone pried open a window to the employee’s home between 10:30 a.m. and 4:45 p.m. The burglar or burglars took a laptop, external drive and some coins. The theft was reported that day to Montgomery County, Md., police, according to the police report.
Although publicly revealing the incident might tip off the thieves to the value of their booty, Nicholson said VA officials decided veterans needed to know to monitor their credit scores and credit card and bank statements.
The VA plans to send letters to every veteran notifying them that their personal information has been compromised, Nicholson said.
After the first meeting of the President’s Identity Theft Task Force on Monday, Attorney General Alberto Gonzales, the panel’s chairman, said, “I’ve directed prosecutors to exercise zero tolerance for those who engage in identity theft that may be related to this incident.”
Identity theft and fraud has become a national problem. Three years ago, federal authorities estimated about 750,000 people fell victim to some type of identity scam. These days, the estimate is as high as 10 million.
“This is an enormous breach, and because the data was not stored securely, millions of people are at risk,” said Ari Schwartz, deputy director of the nonprofit Center for Democracy and Technology, a privacy group. “If it’s a garden-variety burglary, it’s wise for veterans to monitor their credit reports regularly, but they shouldn’t expect that they are going to see anything weird.”
What to do
If you believe your personal information has been misused as a result of the theft of Department of Veterans Affairs data on 26.5 million U.S. veterans, call 1-800-FED-INFO or go online to www.firstgov.gov.
