Veterans Affairs Data Theft

Background | News Items | Resources | Documents

 

Latest News

• Stolen Veterans Affairs Laptop and Hard Drive Are Found. The stolen laptop computer and hard drive containing sensitive data for up to 26.5 million veterans, their spouses, and active-duty military personnel have been found, according to Veterans Affairs Secretary Jim Nicholson. This comes as newly discovered documents show that Veterans Affairs had given permission in 2002 for the analyst, from whom the equipment was stolen, to work from home with data that included millions of Social Security numbers, disability ratings and other personal information. Agency officials previously said the analyst was fired because he violated agency procedure by taking the data home. (Jun. 29)
• Scope of Veterans Affairs Data Theft Widens. The personal information of about 1.1 million active-duty military personnel, 430,000 members of the National Guard and 645,000 members of the Reserves, was stolen in the recent theft of computer data from the Department of Veterans Affairs, the agency announced Tuesday. The agency previously said (pdf) that all 26.5 million people affected by the data theft were veterans and their spouses. The data include Social Security numbers and disability ratings. Privacy Rights Clearinghouse offers ID theft prevention tips. (Jun. 7)
• Department of Veterans Affairs Reports Massive Data Theft. The Department of Veterans Affairs announced today that an agency employee took home records on 26.5 million veterans that were subsequently stolen by a burglar. The data included names, Social Security numbers, and dates of birth, as well as some disability ratings. The FBI and the VA Inspector General's Office have launched "full-scale investigations." Information for those who are concerned about identity theft is available from the Federal Trade Commission. (May 22)

Background

An information security breach by a Veterans Affairs employee resulted in the theft from his Maryland home of unencrypted data affecting 26.5 million people. The agency has estimated that it will cost between $100 million to $500 million to prevent and cover possible losses from the data theft. Though the theft occurred on May 3, 2006, the agency waited until May 22 to inform those who were affected. The delay was just one of many failures by Veterans Affairs in this incident.

On May 3, 2006, a data analyst at Veterans Affairs took home a laptop and an external hard drive containing unencrypted information on 26.5 million people. The computer equipment was stolen in a burglary of the analyst's home in Montgomery County, Md., and he immediately reported the theft to both Maryland police and his supervisors at Veterans Affairs. The analyst admitted that he had been routinely taking home such sensitive data for three years. Though the analyst's supervisors knew of the theft, Veterans Affairs Secretary R. James Nicholson was not told of the data theft until May 16. The next day, Secretary Nicholson informed the FBI, who began working with Montgomery County police to investigate the burglary.

On May 22, Veterans Affairs issued a statement about the theft, explaining the data stolen included the names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans and spouses, but did not include financial information or electronic health records. Subsequent investigation showed that the scope of the data breach was beyond the initial assessment. At a Congressional hearing on May 25, Secretary Nicholson admitted that, though the agency had said the data stolen did not include health records, it did include disability ratings that provided medical information on 2.6 million people.

On June 3, Veterans Affairs announced that the personal information of about 50,000 active-duty personnel were included in the data stolen. Another announcement followed on June 6, explaining that the 26.5 million people affected by the data theft included "1.1 million military members on active duty, 430,000 members of the National Guard, and 645,000 members of the Reserves." The FBI and Montgomery County police continue to investigate the theft.

The massive theft of data from Veterans Affairs is one of many that have been revealed in the last year and a half. Data broker Choicepoint revealed in February 2005 that it had sold information on about 400,000 people to identity thieves. A short time later, Bank of America misplaced back-up tapes containing detailed financial information on 1.2 million employees in the federal government, including many members of Congress. Lexis-Nexis made available records from its Seisint division on 32,000 Americans to a criminal ring that exploited passwords of legitimate account holders. At a Congressional hearing in June 2006, it was revealed that a hacker had stolen a file from the Department of Energy in November. The file contained the names and Social Security numbers of 1,500 people working in a nuclear weapons division.

On June 12, a laptop containing sensitive data, including Social Security numbers, of 13,000 District of Columbia employees and retirees was stolen from the Washington home of an employee of ING U.S. Financial Services. The computer was not password-protected, and the data on it was not encrypted. On June 20, Equifax Inc., one of the nation's three major credit bureaus, announced that a company laptop containing employee names and Social Security numbers was stolen on May 29 from an employee who was traveling near London. The theft could affect as many as 2,500 of the Equifax's 4,600 employees.

On June 29, the stolen laptop computer and hard drive were turned in by an unidentified person. This news came as newly discovered documents showed that Veterans Affairs had given permission in 2002 for the analyst, from whom the equipment was stolen, to work from home with data that included millions of Social Security numbers, disability ratings and other personal information. Agency officials previously said the analyst was fired because he violated agency procedure by taking the data home.

 

News Items

• Editorial: VA's goof shows need for new identity system. St. Petersburg Times, July 4, 2006.
• Data exposed without a trace. Washington Times, July 3, 2006.
• Thieves' Indifference May Mean VA Laptop's Data Is Secure. Washington Post, July 1, 2006.
• Stolen VA Laptop and Hard Drive Recovered. Washington Post, June 30, 2006.
• VA security officer resigns. GCN, June 30, 2006.
• Stolen VA laptop, drive found. Tribune Newspapers, June 30, 2006.
• Judge rules VA can publicize no-cost credit monitoring offer. Associated Press, June 30, 2006.
• More instances of missing data at VA come to light. Federal Times, June 30, 2006.
• VA worker had OK to use data at home. Associated Press, June 29, 2006.
• FBI Recovers Stolen Veterans Affairs Laptop. InformationWeed, June 29, 2006.
• Veterans learn about identity theft. San Diego Union-Tribune, June 17, 2006.
• Vets on edge over stolen data. Dallas Morning News, June 17, 2006.
• EDITORIAL: VA theft hits home here in the Tri-Cities. Tri-City Herald, June 16, 2006.
• Column: Data-loss disclosure falls short. San Francisco Chronicle, June 16, 2006.
• VA data theft not linked to other crimes. Associated Press, June 15, 2006.
• IG cites lax security on VA medical records. Federal Times, June 15, 2006.
• VA data still at risk, investigators say. Associated Press, June 15, 2006.
• VA Ignores Cybersecurity Warnings. IDG News Service, June 14, 2006.
• Official can't rule out wider breach of vet data. Reuters, June 8, 2006.
• Veterans Groups Sues Over Data Theft. Associated Press, June 8, 2006.
• Democrats Question Handling of Data Breach. New York Times, June 7, 2006.
• Size of Military Data Theft Grows to Affect Millions of Troops. New York Times, June 7, 2006.
• Personal data on 2.2 million troops stolen. Reuters, June 6, 2006.
• Official Quits Over Theft of Computer Data. New York Times, May 31, 2006.
• VA Knew Early About Data Theft. Washington Post, May 27, 2006.
• V.A. Chief Admits to Data Security Problems. New York Times, May 25, 2006.
• Veterans Angered by File Scandal. Washington Post, May 24, 2006.
• Vast Data Cache About Veterans Is Stolen. New York Times, May 22, 2006.
• Thieves Steal Personal Data of 26.5 Million Vets. Associated Press, May 22, 2006.

Resources

• Department of Veterans Affairs has set up a Web site about the theft and a toll-free number for victims: 1-800-FED INFO (333-4636).
• Privacy Rights Clearinghouse offers ID theft prevention tips.
• Federal Trade Commission's resources about identity theft.
• EPIC's Choicepoint page (concerning other data breaches and information security).

Documents

• Department of Veterans Affairs, Update, Stolen Computer Equipment Recovered (June 30, 2006).
• Testimony of Linda D. Koontz, Director, Information Management Issues, Government Accountability Office, and Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office at a Hearing on the Repeated Failures of VA's Information Technology Management Before the Committee on Veterans' Affairs of the U.S. House of Representatives (June 14, 2006).
• Statement of Michael L. Staley, Assistant Inspector General for Audit, Department of Veterans Affairs at a Hearing on the Repeated Failures of VA's Information Technology Management Before the Committee on Veterans' Affairs of the U.S. House of Representatives (June 14, 2006).
• Department of Veterans Affairs, News Release, Secretary Nicholson Provides Update on Stolen Data Incident: Data Matching With Department of Defense Providing New Details (June 6, 2006).
• Department of Veterans Affairs, News Release, Secretary Nicholson Provides Update on Stolen Data Incident: VA’s Investigation Providing New Details about Information Potentially Involved (June 3, 2006).
• Statement of R. James Nicholson, Secretary, Department of Veterans Affairs, at a Hearing on Failure of VA's Information Management Before the Committee on Veterans' Affairs of the U.S. House of Representatives (May 25, 2006).
• Statement of George J. Opfer, Inspector General, Department of Veterans Affairs, at a Hearing on Failure of VA's Information Management Before the Committee on Veterans' Affairs of the U.S. House of Representatives (May 25, 2006).
• Department of Veterans Affairs, Statement, Statement of Secretary of Veterans Affairs R. James Nicholson On the Status of the Veterans' Data Theft (May 24, 2006).
• Department of Veterans Affairs, Statement, A Statement from the Department of Veterans Affairs Announcing the Loss of Veterans' Personal Information (May 22, 2006).

Last Updated: July 5, 2006
Page URL: http://www.epic.org/privacy/vatheft/default.html