Data Compromised For 26,000 at USDA

By Zachary A. Goldfarb
Special to The Washington Post
Friday, June 23, 2006

A hacker breached the Agriculture Department's computer system and may have taken personal information on 26,000 employees, retirees and contractors, the department said, making it the latest federal agency to have had personal data compromised.

The potential loss is less dramatic than the one that occurred last month with the theft of a laptop computer and hard drive containing personal information on up to 26.5 million veterans and military personnel from the home of a Department of Veterans Affairs employee.

The Agriculture Department, which alerted employees to the breach Wednesday, said those affected will receive a year of free credit monitoring. VA announced a similar plan Wednesday after weeks of criticism for its failure to safeguard private data. On an individual basis, credit monitoring can cost more than $75 year.

"We may cover more than necessary, but really our point is to protect the personal data of employees," Boyd Rutherford, Agriculture's assistant secretary for administration, said yesterday. He said law enforcement and the department's inspector general are investigating the breach and have no leads on the hacker.

In the VA case, Congress may step in to help pay for the credit monitoring. Late yesterday afternoon, the Senate Appropriations Committee voted 15 to 13 to amend the 2007 agriculture spending bill to provide $160 million in emergency funding for the monitoring. Only two Republicans voted in favor; the others were concerned that the amendment would prejudice the bidding process in hiring a credit-monitoring service. The full Senate must still pass the bill.

The information contained in the breached Agriculture database is used for the department's badges for people living in the D.C. area. Employees elsewhere are not affected. The database contained names, Social Security numbers, pictures, office locations, work telephone numbers and other information. Some of this information would be helpful to identity thieves in setting up fraudulent accounts.

On the first weekend of this month, officials at US-CERT, an arm of the Department of Homeland Security, spotted an unusual pattern of traffic into Agriculture computers. They notified technology officials at Agriculture, who called in the vendor of the security software running on those machines.

The officials originally thought the intrusion had been limited and did not compromise the personnel database. But a more thorough analysis was ordered. "It was inconclusive," Rutherford said. "We couldn't rule out whether someone accessed the personnel system. So we immediately notified the employees and others affected."

In addition, the department set up a call center for queries about the breach (800-333-4636) and is making information available on the Web at .

A report card on information security prepared by the House Government Reform Committee has given Agriculture a failing grade for the past five years. Rutherford said systems coordinators throughout the department have been directed to ensure that any systems containing sensitive data are well secured against intrusion.

In other data security news, the Federal Trade Commission reported yesterday the recent theft of two laptops containing personal data of about 110 people gathered during law enforcement investigations. Among the data were names, addresses, Social Security numbers, dates of birth and financial account numbers. The FTC promised to offer those affected a year of free credit monitoring.

© 2006 The Washington Post Company