[ISN] Agency Delayed Reporting Theft of Veterans' Data

From: InfoSec News (isn@private)
Date: Thu May 25 2006 - 00:44:42 PDT


http://www.nytimes.com/2006/05/24/washington/24identity.html

By DAVID STOUT and TOM ZELLER Jr.
May 24, 2006

WASHINGTON, May 23 - The Veterans Affairs Department learned about the
theft of electronic data on 26.5 million veterans shortly after it
occurred, on May 3, but waited two weeks before telling law
enforcement agencies, officials said Tuesday.

The officials said investigators in the Justice Department and the
Federal Bureau of Investigation were furious with the leaders of the
veterans agency for initially trying to handle the loss of the data as
an internal problem through the agency's inspector general before
coming forward.

Officials said the investigators in the Justice Department and F.B.I.
had complained that the delay might have cost them clues to the
whereabouts of the data, stored on computer disks that were stolen in
a burglary on May 3 at the home of an agency employee in Maryland.

A spokesman for the agency, Matt Burns, declined to comment on the
timing of the announcement.

The disks carried names and accompanying Social Security numbers and
dates of birth, practically keys to identity in the computer age.

It was not clear, in the absence of an explanation from the agency,
why its officials waited for days to disclose the theft to law
enforcement people and still more days to announce it to the public or
what internal discussions might have prompted them to change their
minds.

As the department sought to reassure veterans not privy to the
bureaucratic machinations here and to deal with a security lapse that
was becoming a public relations disaster, some veterans were uneasy
and suspicious.

"Why did the V.A. wait 19 days to notify veterans?" John Rowan,
president of the Vietnam Veterans of America, asked.

Perhaps, Mr. Rowan suggested, the department learned that the news was
about to be leaked.

The wife of a disabled veteran of the gulf war, Penny Larrisey of
Doylestown, Pa., expressed what countless crime victims have said.

"Just right about now, the only way you can feel is you've been
violated," Mrs. Larrisey said in a telephone interview.

The department has emphasized that there was as yet no indication that
the data, taken home without authorization by the employee, had been
put to ill use.

But Mrs. Larrisey, whose husband, Bob, was an Air Force sergeant, was
not soothed.

"This puts us in a position of one paycheck away from disaster," she
said, worrying that a computer-savvy thief with access to specifics
about her husband's disability payments could tap into their bank
account.

The authorities continued to investigate the activities of the
employee, who is on administrative leave.

Officials familiar with the case said that while investigators had no
reason to dispute the employee's account, they were nonetheless
puzzled why little else of value besides the data-laden disks were
stolen. In an added twist, the officials said investigators were
having trouble finding the employee but did not think that he was
necessarily trying to be evasive.

Several aspects remained murky, including how much communication, if
any, there was between the Montgomery County police in Maryland and
federal investigators about the disks.

Mr. Rowan of the Vietnam veterans' group said the Veterans Affairs
Department should do more than just post information on its Web site
advising veterans to scrutinize their financial records and telling
them what to do if they find something wrong.

"The V.A. has put veterans at risk for identity theft," he said. "If
this were the private sector, they would be required to provide each
veteran with free credit-reporting services."

A spokesman for Senator Larry E. Craig, the Idaho Republican who is
chairman of the Veterans Affairs Committee, said the panel would
consider just such measures when it holds a hearing on the case on
Thursday morning. The spokesman, Jeff Schrade, said government
agencies should treat personal data as "top secret information."

Christopher Walsh, a lawyer here who specializes in security cases,
said the theft conveyed a disturbing message, that "the government has
paid far less attention to the issue of data security than the people
think - and far less than business."

Recent federal laws entitle every consumer the right to one free
credit report from each major consumer credit-reporting agency ‹
Experian, Equifax and TransUnion ‹ every year. But for closer
monitoring of credit status, the kind that some consumers turn to when
they fear that their records have been compromised, the companies
charge a fee. Ten dollars a month after a free 30-day trial is
typical.

If veterans feel threatened enough to enter such arrangements, "the
government ought to pay for it, in my view," Mr. Walsh said.

At least two companies offering identity-theft protection, LifeLock
and MyPublicInfo, said they had discount packages for veterans
affected by the theft.

Senator Craig's spokesman, Mr. Schrade, declined to predict what would
happen at the hearing on Thursday or how the security breach would be
repaired.

"But," he said, "I don't think we're going to get out of this on the
cheap."

Maureen Balleza contributed reporting from Houston for this article.




_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu May 25 2006 - 01:08:12 PDT