By Christopher Lee
Washington Post Staff Writer
Friday, June 9, 2006
Police believe that thieves who stole a laptop and external hard drive from a Department of Veterans Affairs employee were interested in selling the equipment, not harvesting the sensitive personal information it contained, VA Secretary Jim Nicholson said yesterday.
A series of burglaries targeting computer hardware has hit the Aspen Hill area, where the employee lives, Nicholson said. More than a month after the May 3 crime -- which compromised the names, birth dates and Social Security numbers of millions of veterans and active-duty military members -- the FBI and Montgomery County police have no evidence that anyone is using the information to commit fraud or identity theft, he said.
"They believe that these were young burglars whose goal was to get computers and computer peripheral equipment," Nicholson testified before the House Government Reform Committee. "And from other houses, like they did this house, they took a laptop and hard drive, and overlooked other valuable or semi-valuable things. . . . They further think that their MO is to take these things, clean them up -- actually erase them -- and then fence them into a market for college campuses and high schools."
Nicholson cautioned that authorities had no assurances their theory of the crime is correct. And although police have arrested some people in connection with the recent burglaries, serial numbers on recovered computer equipment did not match those of the items stolen from the employee's home, he said.
The committee hearing examined the VA data breach, the largest in government history, in the context of information security concerns across the federal bureaucracy. The VA theft put at risk the unencrypted personal information of 26.5 million veterans and active-duty military members. But smaller security lapses take place routinely, said Clay Johnson III, deputy director for management at the Office of Management and Budget.
"I'm told that there are dozens of security breaches involving laptops in a year," Johnson said. "None of these involve 26 million, 27 million names. So this is the 100-year storm of security breaches. The magnitude of it is the alarming thing."
He said the key is to minimize the number and impact of data breaches by requiring agencies to tighten enforcement of existing security policies. "It is currently the standard that all sensitive data on laptops be encrypted," Johnson said. "That is the standard. It's just not enforced."
Despite assurances yesterday of stringent security policies from officials with the Internal Revenue Service and the Social Security Administration, both agencies have suffered smaller-scale breaches in recent months.
Early last month, an IRS employee lost an agency laptop on an airplane; it contained unencrypted names, birth dates and Social Security numbers for 291 workers and job applicants, agency officials said this week.
An SSA employee's personal laptop computer containing Social Security numbers and other sensitive information for 200 people was recently stolen at a conference the employee was attending, William E. Gray, a deputy commissioner at the agency, said in written testimony yesterday.
Lawmakers were incredulous. "It is beyond stupid to take out sensitive documents," said Rep. Christopher Shays (R-Conn.). "But I have the sense that this is a common practice."
Rep. Gil Gutknecht (R-Minn.) said media accounts had blown the VA data theft out of proportion. "So far, there's no evidence that any of these people have actually sustained any real damage," he said.
But Rep. Steven C. LaTourette (R-Ohio) was not so sure. One of his constituents, Army veteran Steven Michel, recently discovered that someone had set up a second VA account in his name to receive disability checks. "He's even more disturbed that his bank informed him that it was possible someone phoned in new direct-deposit information to a bogus bank account . . . in the state of Michigan," LaTourette said.
Nicholson said it might not be linked to the VA theft, but he wanted to find out. "That's the first incidence I've heard of that affecting a veteran," he said. "I would like to get that information, and we will follow that."