Worker Often Took Data Home
Friday, May 26, 2006
The Department of Veterans Affairs data analyst who lost 26.5 million veterans' personal information when his home was burglarized had routinely taken such data home since 2003, VA Inspector General George J. Opfer said yesterday.
"It wasn't like all of a sudden one night he took home all this data," Opfer said during a break in House and Senate hearings on the massive information security breach.
Authorities announced a $50,000 reward for information leading to the recovery of the laptop computer and external hard drive stolen May 3 from the employee's Aspen Hill home. The VA inspector general and the FBI are offering the reward. Montgomery County police asked anyone with information to call 866-411-8477.
Federal investigators have removed other sensitive VA data the worker was not authorized to have at home, Opfer testified. He said his staff will identify all the data the employee had at home and determine which supervisors knew about it.
Veterans Affairs Secretary Jim Nicholson said the stolen information was not encrypted or "scrambled." He reiterated that there has been no indication that thieves are using the data to open credit card accounts, take out bank loans or engage in other forms of identity theft.
The electronic file contained names and dates of birth for as many as 26.5 million veterans who have been discharged since 1975, or who were discharged in any year and are collecting disability compensation from the department, Nicholson said. The file also included the Social Security numbers of 19.6 million of those veterans, he said. He said fewer than 100 spouses are believed to be included in the file.
Opfer said his office did not learn of the lost data until May 10, and then only through an offhand remark by a VA employee at a routine meeting. Nicholson was even further out of the loop; he testified yesterday that his subordinates failed to inform him until May 16 -- nearly two weeks after the theft put millions of veterans at risk of identity theft. The FBI was not told until May 17, and Nicholson did not make a public announcement until Monday.
"I'm so damn mad at the loss of veterans' data and the fact that one person can put all of us at risk," said Nicholson, an Army veteran who served in Vietnam. "I can't explain these lapses in judgment on the part of my people. . . . After the inspector general finishes his investigation and finds exactly what happened, I plan to take decisive actions. "
Nicholson said several VA officials have offered their resignations but he will not decide whether to accept them until the investigation is complete. "I am the person ultimately responsible to our veterans, and therefore I am the person responsible for this situation," the secretary said.
He repeated his plan to have all VA employees take a cybersecurity training course by June 30 and to increase background checks of employees with access to sensitive information. He said the employee who took the data home last had a background check 32 years ago.
Lawmakers, besieged by calls from outraged veterans, lambasted Nicholson both for the security breakdown and for the department's sluggish response.
Sen. Susan M. Collins (R-Maine), chairman of the Senate Homeland Security and Governmental Affairs Committee, called the entire episode "absolutely baffling."
"If the employee had chosen not to report the theft immediately, VA and the public could possibly still be in the dark," said Hawaii Sen. Daniel K. Akaka, the top Democrat on the Veterans Affairs Committee.
"Something like this should never go unknown by the boss," said Sen. Johnny Isakson (R-Ga.).
Several lawmakers noted that the department's information security measures have repeatedly been identified as vulnerable in recent years.
"The system is so poorly designed that one employee can compromise the whole thing," said Sen. Barack Obama (D-Ill.).
Sen. Larry E. Craig (R-Idaho), chairman of the veterans panel, said he believes that the VA data analyst was "a dedicated federal employee who took work home with the hope of improving VA operations."
He said the department, and not veterans themselves, should cover the cost of the increased credit monitoring made necessary by the loss of the personal data. "There were many lapses in judgment for which many people are going to have to answer," Craig said. "This was not an error that a veteran made. This was an error that the system that provides services to them made."
Staff writer Steve Vogel contributed to this report.