By Christopher Lee and Zachary A. Goldfarb
Washington Post Staff Writers
Friday, June 30, 2006
Federal officials yesterday announced the recovery of computer equipment stolen from an employee of the Department of Veterans Affairs. They said that sensitive personal information of 26.5 million veterans and military personnel apparently had not been accessed.
The laptop and external hard drive, stolen May 3 from a VA data analyst's home in Aspen Hill, contained the names, birth dates and Social Security numbers of millions of current and former service members. The theft was the largest information security breach in government history and raised fears of potential mass identity theft.
VA Secretary Jim Nicholson announced the recovery yesterday during a hearing of the House Committee on Veterans Affairs.
"Law enforcement has in their possession the laptop and hard drive," Nicholson said. "The serial numbers match. They are diligently conducting forensic analysis on it to see if they can tell whether it's been duplicated or utilized or entered in any way, and that work is not complete. However, they did say to me that there is reason to be optimistic."
FBI officials and local authorities said at a news conference that a person who had the laptop contacted U.S. Park Police on Wednesday after seeing news accounts and notices of a $50,000 reward offered by Montgomery County police. The devices were recovered in the "general vicinity" of Aspen Hill, said Chief Dwight E. Pettiford of the Park Police.
FBI Special Agent in Charge William D. Chase, of the agency's Baltimore office, said it is "way too early" to say whether the person will get the reward or whether criminal charges will be filed soon. FBI spokeswoman Michelle Crnkovich said the tipster is not a suspect.
"A preliminary review of the equipment by computer forensic teams has determined that the data base remains intact and has not been accessed since it was stolen," the FBI said in a statement. "A thorough forensic examination is underway, and the results will be shared as soon as possible."
Lawmakers hailed the investigative work but said VA still has much to do to improve data security.
"[T]he basic deficiencies leading to this data loss must be corrected," Rep. Steve Buyer (R-Ind.), chairman of the Veterans Affairs Committee, said in a statement. "The history of lenient policies and lack of accountability within VA management must be rectified."
Rep. Lane Evans (Ill.), the committee's ranking Democrat, said in a statement: "Today's announcement does not relieve the Department of Veterans Affairs from fixing its broken data security system and failed leadership."
The theft has proved to be an embarrassing and expensive management failure for VA. In a series of hearings, lawmakers have criticized Nicholson for the department's lax security practices and sluggish response, noting that the secretary was not told of the burglary for 13 days. The incident also has cast light on the department's consistent ranking near the bottom among federal agencies in an annual congressional scorecard of computer security.
Pedro Cadenas Jr., the VA official in charge of information security, resigned yesterday for personal reasons, VA officials said. Earlier, a high-ranking political appointee was dismissed and a longtime career manager was forced to retire.
The Bush administration this week asked Congress for $160.5 million to pay for free credit monitoring for veterans and military personnel. VA already has budgeted $25 million to create a call center to handle veterans' questions and to send letters alerting veterans about the theft. Several veterans groups have filed class-action lawsuits locally and in Kentucky against the government, seeking $1,000 in damages per affected veteran.
Initially, VA thought that all of the 26.5 million people affected were veterans. But a database comparison revealed that the stolen equipment also contained Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel, including 1.1 million active-duty military personnel, 430,000 National Guard members and 645,000 reserve members.
Nicholson said it is too early to tell whether free-credit monitoring for veterans is now unnecessary. VA still plans to hire a data analysis company to monitor whether veterans' identities are being stolen, he said.
Rep. Bob Filner (D-Calif.) said yesterday that three VA documents obtained by the Veterans Affairs Committee indicate that the data analyst was authorized to take a laptop home and use a software package to access the data. That contradicted Nicholson's previous testimony that the employee was not authorized to have the information at home.
"He got all the approvals that he was supposed to have," Filner said. "I don't know of a policy that he violated, if you'll tell me one. And that's the real negligence -- that there were no policies."
Nicholson said he had not seen the documents, and declined to comment because the career analyst is challenging Nicholson's decision to fire him.
Tim S. McClain, VA's general counsel, told the panel that one of the documents did not apply to the laptop that was stolen. He acknowledged that the other documents granted the analyst access to Social Security numbers and permitted him to have software at home.
Jim Mueller, commander-in-chief of the national Veterans of Foreign Wars, applauded the equipment's recovery, but said in a statement that Nicholson still has much to do to repair the agency's reputation.
"The longer Secretary Nicholson waits to hold people accountable, the more confidence he will lose in the eyes of America's veterans, their families, and those who wear the uniform today," he said.
Staff writer Ernesto Londo?o contributed to this report.