Focusing public attention on emerging privacy and civil liberties issues

Veterans Affairs Data Theft

Latest News

  • Stolen Veterans Affairs Laptop and Hard Drive Are Found.The stolen laptop computer and hard drive containing sensitive data for up to 26.5 million veterans, their spouses, and active-duty military personnel have been found, according to Veterans AffairsSecretary Jim Nicholson. This comes as newly discovered documentsshow that Veterans Affairs had given permission in 2002 for the analyst, from whom the equipment was stolen, to work from home with data that included millions of Social Security numbers, disability ratings and other personal information. Agency officials previously said the analyst was fired because he violated agency procedure by taking the data home. (Jun. 29)
  • Scope of Veterans Affairs Data Theft Widens.The personal information of about 1.1 million active-duty military personnel, 430,000 members of the National Guard and 645,000 members of the Reserves, was stolen in the recent theft of computer data from the Department of Veterans Affairs, the agency announcedTuesday. The agency previously said ( pdf) that all 26.5 million people affected by the data theft were veterans and their spouses. The data include Social Security numbers and disability ratings. Privacy Rights Clearinghouseoffers ID theft prevention tips. (Jun. 7)
  • Department of Veterans Affairs Reports Massive Data Theft.The Department of Veterans Affairs announced todaythat an agency employee took home records on 26.5 million veterans that were subsequently stolen by a burglar. The data included names, Social Security numbers, and dates of birth, as well as some disability ratings. The FBI and the VA Inspector General's Office have launched "full-scale investigations." Information for those who are concerned about identity theft is available from the Federal Trade Commission. (May 22)

Background

An information security breach by a Veterans Affairs employee resulted in the theft from his Maryland home of unencrypted data affecting 26.5 million people. The agency has estimated that it will cost between $100 million to $500 million to prevent and cover possible losses from the data theft. Though the theft occurred on May 3, 2006, the agency waited until May 22 to inform those who were affected. The delay was just one of many failures by Veterans Affairs in this incident.

On May 3, 2006, a data analyst at Veterans Affairs took home a laptop and an external hard drive containing unencrypted information on 26.5 million people. The computer equipment was stolen in a burglary of the analyst's home in Montgomery County, Md., and he immediately reported the theft to both Maryland police and his supervisors at Veterans Affairs. The analyst admitted that he had been routinely taking home such sensitive data for three years. Though the analyst's supervisors knew of the theft, Veterans Affairs Secretary R. James Nicholson was not told of the data theft until May 16. The next day, Secretary Nicholson informed the FBI, who began working with Montgomery County police to investigate the burglary.

On May 22, Veterans Affairs issued a statement about the theft, explaining the data stolen included the names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans and spouses, but did not include financial information or electronic health records. Subsequent investigation showed that the scope of the data breach was beyond the initial assessment. At a Congressional hearing on May 25, Secretary Nicholson admitted that, though the agency had said the data stolen did not include health records, it did include disability ratings that provided medical information on 2.6 million people.

On June 3, Veterans Affairs announced that the personal information of about 50,000 active-duty personnel were included in the data stolen. Another announcement followed on June 6, explaining that the 26.5 million people affected by the data theft included "1.1 million military members on active duty, 430,000 members of the National Guard, and 645,000 members of the Reserves." The FBI and Montgomery County police continue to investigate the theft.

The massive theft of data from Veterans Affairs is one of many that have been revealed in the last year and a half. Data broker Choicepointrevealed in February 2005 that it had sold information on about 400,000 people to identity thieves. A short time later, Bank of America misplaced back-up tapes containing detailed financial information on 1.2 million employees in the federal government, including many members of Congress. Lexis-Nexis made available records from its Seisint division on 32,000 Americans to a criminal ring that exploited passwords of legitimate account holders. At a Congressional hearing in June 2006, it was revealed that a hacker had stolen a file from the Department of Energy in November. The file contained the names and Social Security numbers of 1,500 people working in a nuclear weapons division.

On June 12, a laptop containing sensitive data, including Social Security numbers, of 13,000 District of Columbia employees and retirees was stolen from the Washington home of an employee of ING U.S. Financial Services. The computer was not password-protected, and the data on it was not encrypted. On June 20, Equifax Inc., one of the nation's three major credit bureaus, announced that a company laptop containing employee names and Social Security numbers was stolen on May 29 from an employee who was traveling near London. The theft could affect as many as 2,500 of the Equifax's 4,600 employees.

On June 29, the stolen laptop computer and hard drive were turned in by an unidentified person. This news came as newly discovered documents showed that Veterans Affairs had given permission in 2002 for the analyst, from whom the equipment was stolen, to work from home with data that included millions of Social Security numbers, disability ratings and other personal information. Agency officials previously said the analyst was fired because he violated agency procedure by taking the data home.

News Items

Resources

Documents

  • Department of Veterans Affairs, Update, Stolen Computer Equipment Recovered(June 30, 2006).
  • Testimonyof Linda D. Koontz, Director, Information Management Issues, Government Accountability Office, and Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office at a Hearing on the Repeated Failures of VA's Information Technology Management Before the Committee on Veterans' Affairs of the U.S. House of Representatives (June 14, 2006).
  • Statementof Michael L. Staley, Assistant Inspector General for Audit, Department of Veterans Affairs at a Hearing on the Repeated Failures of VA's Information Technology Management Before the Committee on Veterans' Affairs of the U.S. House of Representatives (June 14, 2006).
  • Department of Veterans Affairs, News Release, Secretary Nicholson Provides Update on Stolen Data Incident: Data Matching With Department of Defense Providing New Details(June 6, 2006).
  • Department of Veterans Affairs, News Release, Secretary Nicholson Provides Update on Stolen Data Incident: VA's Investigation Providing New Details about Information Potentially Involved(June 3, 2006).
  • Statementof R. James Nicholson, Secretary, Department of Veterans Affairs, at a Hearing on Failure of VA's Information Management Before the Committee on Veterans' Affairs of the U.S. House of Representatives (May 25, 2006).
  • Statementof George J. Opfer, Inspector General, Department of Veterans Affairs, at a Hearing on Failure of VA's Information Management Before the Committee on Veterans' Affairs of the U.S. House of Representatives (May 25, 2006).
  • Department of Veterans Affairs, Statement, Statement of Secretary of Veterans Affairs R. James Nicholson On the Status of the Veterans' Data Theft(May 24, 2006).
  • Department of Veterans Affairs, Statement, A Statement from the Department of Veterans Affairs Announcing the Loss of Veterans' Personal Information(May 22, 2006).