[ISN] Data Theft Hit 80% Of Active Military

From: InfoSec News (isn@private)
Date: Tue Jun 06 2006 - 22:08:49 PDT


http://www.washingtonpost.com/wp-dyn/content/article/2006/06/06/AR2006060601332.html

By Ann Scott Tyson and Christopher Lee
Washington Post Staff Writers
June 7, 2006

Social Security numbers and other personal information for as many as
2.2 million U.S. military personnel -- including nearly 80 percent of
the active-duty force -- were among the data stolen from the home of a
Department of Veterans Affairs analyst last month, federal officials
said yesterday, raising concerns about national security as well as
identity theft.

The department announced that personal data for as many as 1.1 million
active-duty military personnel, 430,000 National Guard members and
645,000 reserve members may have been included on an electronic file
stolen May 3 from a department employee's house in Aspen Hill. The
stolen data include names, birth dates and Social Security numbers, VA
spokesman Matt Burns said.

Defense officials said the loss is unprecedented and raises concerns
about the safety of U.S. military forces. But they cautioned that law
enforcement agencies investigating the incident have not found
evidence that the stolen information has been used to commit identity
theft.

"Anytime there is a theft of personal information, it is concerning
and requires us and our members to be vigilant," Pentagon spokesman
Bryan Whitman said. He said the loss is "the largest that I am aware
of."

Army spokesman Paul Boyce said: "Obviously there are issues associated
with identity theft and force protection."

For example, security experts said, the information could be used to
find out where military personnel live. "This essentially can create a
Zip code for where each of the service members and [their] families
live, and if it fell into the wrong hands could potentially put them
at jeopardy of being targeted," said David Heyman, director of the
homeland security program at the Center for Strategic and
International Studies (CSIS).

Another worry is that the information could reach foreign governments
and their intelligence services or other hostile forces, allowing them
to target service members and their families, the experts said.

"There is a global black market in this sort of information . . . and
you suddenly have a treasure trove of information on the U.S. military
that is available," said James Lewis, director of technology and
public policy at CSIS.

One defense official, speaking on the condition of anonymity because
of the sensitivity of the matter, called the potential damage
"monumental."

The new revelations significantly increase the potential harm from
what was already one of the largest data breaches in U.S. history. On
May 22, VA disclosed that an external computer hard drive was stolen
May 3 from the home of a VA employee and that it contained unencrypted
names and birth dates for as many as 26.5 million veterans who were
discharged after 1975 or submitted benefit claims. It also included
Social Security numbers for 19.6 million of those veterans, VA
officials said.

Initially VA thought that all of the 26.5 million people affected were
veterans, but a database comparison revealed that they also included
the bulk of active-duty military services, as well as more than 1
million members of the National Guard and reserves.

Montgomery County police released a description yesterday of the
stolen laptop and its external hard drive because they said it may
have been purchased by someone who does not realize the value of its
content. "It could have shown up at a yard sale or a secondhand
store," police spokeswoman Lucille Baur said. "This is a time of the
year when parents may be buying computers for kids going to college in
the fall."

Montgomery County police are offering a $50,000 reward for information
that allows authorities to recover the laptop. The computer is a
Hewlett-Packard model zv5360us and the external hard drive is an HP
External Personal Media Drive.

The Washington Post is not publishing the name of the career data
analyst whose laptop was stolen in response to a request from law
enforcement authorities who are investigating its disappearance.

The breach outraged veterans -- even more so because senior VA
officials knew about the theft within hours of the crime but did not
tell VA Secretary Jim Nicholson until 13 days later. The 60-year-old
analyst, who had been taking home sensitive data for at least three
years without authorization, has been fired, officials have said. His
boss resigned last week and another senior VA official is on
administrative leave pending investigations by the FBI, the VA
inspector general and Montgomery County police.

A coalition of veterans groups filed a class-action lawsuit against
the federal government yesterday, contending that privacy rights were
violated and seeking $1,000 in damages for each affected veteran.

The lawsuit, filed in U.S. District Court in the District of Columbia,
demands that VA fully disclose who was affected by the theft, and asks
a court to prohibit VA workers from using sensitive data until
safeguards are in place. Burns said the department does not comment on
pending litigation. He said VA has received no reports of stolen data
being used for identity theft or other criminal activity.

VA receives records for every new recruit because active-duty
personnel, National Guard members and reservists are eligible for
certain VA benefits, such as GI Bill educational assistance and the
home-loan program.

"The department will continue to make every effort to inform and help
protect those potentially affected, and is working with the Department
of Defense to notify all affected personnel," Nicholson said.

Rep. Lane Evans (D-Ill.), ranking member of the House Veterans'
Affairs Committee, said yesterday that he was "appalled" at the data
breach and called for a Government Accountability Office investigation
into VA information security practices.

Research shows that it is not unusual for government employees to take
home sensitive data on laptops, Lewis said. "The rules we have are
either chaotic or nonexistent. . . . We still have a paper rules
government when we are a digital nation."

Staff writer Ernesto Londoņo contributed to this report.

Š 2006 The Washington Post Company



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jun 06 2006 - 22:36:29 PDT