However, all U.S. veterans discharged after 1975 learned just prior to Memorial Day 2006 that their most crucial personal information from the Department of Veterans Affairs had been stolen and still remains in the public domain. Since the revelation, announced by Secretary of Veterans Affairs, R. James Nicholson, on May 22, 2006, that names, dates of birth, Social Security numbers, including phone numbers and addresses had been stolen on as many 26.5 million service members and some of their spouses, such information did not even include the total amount of information or number of other service members information that has since been discovered.
It all started when on May 3, 2006 a 30-year career senior-level information technology specialist in the Office of Policy of Veterans Affairs (VA) was in violation of security procedure. He took home a laptop computer, which belonged to the VA. He had been working on an annual study about veterans demographics. It was also revealed that unbeknownst to his supervisors that he had been doing such for three years, including downloading unencrypted information from his home.
The laptop contained a hard drive with the information and he also took home computer disks and a flash memory stick. The employee reported the purported break-in of his Aspen Hill, MD home to the local Montgomery County police in addition to Michael H. McLendon, VA Deputy Assistant Secretary for Policy of the theft shortly after it occurred. Law enforcement considers the theft to be a random burglary, but its ramifications of the theft represent the largest personal identification breach which includes Social Security numbers, in U.S. history, in either the public or private sectors.
VA Inspector General, George Opfer, testified on May 25, 2006 before the House of Representatives
Committee on Veterans Affairs, the Senate Veterans Affairs Committee as well as the Senate Committee on Homeland Security and Governmental Affairs, stating that while attending a routine meeting at the VAs Central Office, heard another Information Security Officer that a VA employees home had been burglarized and that VA electronic records may have been stolen. Obviously IG Opfer was spared the information as well.
IG Opfer put in motion a criminal investigation on May 12, 2006 within the VA and the employee was interviewed on May 15, 2006. The local police had been investigating the theft since May 3, 2006 but the Federal Bureau of Investigation (FBI) was not apprised until May 17, 2006, the day after Nicholson was advised. Nicholson then briefed U.S. Attorney General, Alberto Gonzales, the Chairman of the Federal Trade Commission, Deborah Platt Majoras, along with co-chairs of the Presidents Identity Theft Task Force. And lastly, the U.S. Congress was advised on May 22, 2006 when the public announcement was made.
The active-duty personnel information considered missing as of June 6, 2006 now includes more than 1 million National Guard and Army Reserve members, which includes at least 55,000 serving at least their second active-duty tours in Iraq and at least 30,000 active-duty Navy personnel who completed their first enlistment terms prior to 1991. But now it is confirmed that as many as 1.1 million active-duty troops from all of the armed forces are at risk of identity theft.
Since the theft findings, the data analyst has been fired with full benefits and severance pay, Deputy Assistant Secretary McLendon resigned from his post, and Acting Assistant Secretary Duffy, acting head of the Division for Policy Planning and Preparedness was put on administrative leave. Secretary Nicholson, serving as Secretary of the VA since 2005, has also hired Rick Romley as his new advisor for information security who will assist Nicholson with reforming the VAs policies and procedures on information security for a minimum period of three months. Romley is a former Maricopa County, AZ attorney, Vietnam Veteran and high profile former Republican National Party Chairman in the state of Arizona.
The long history of security flaws within the VA does not come as news to many within the Government Accountability Office (GAO), or within the VAs Office of the Inspector General. And for that reason, it makes it even more difficult for lawmakers to fathom. The chronology that you gave us is absolutely baffling. Its just inconceivable that there were such long delays. Senator Susan Collins (R-Maine), Chairwoman of the Senate Homeland Security and Government al Affairs, stated such during IG Opfers May 25th testimony before the committee.
Senator Collins remarks are all the more remarkable given other occasions over the past year when she and her committee have reiterated such phraseology concerning other bureaucratic missteps which took place by the former Director of the Federal Emergency Management Agency (FEMA), Michael Brown, during his testimony on Hurricane Katrina recovery efforts and during hearings regarding the Committee of Foreign Investments in the U.S. (CFIUS) and its approval of the government of Dubais purchase of several U.S. ports operations without considering its full ramifications or advising members of Congress.
The VA was among eight agencies given a failing grade for computer security practices in 2005 by the GAO. But since 2001 the VA Inspector Generals Office has advised the VA that its information access controls are materially weak, creating substantial risk and serious vulnerabilities which remain uncorrected.
Such vulnerabilities are far simpler to correct than one might think as the failure to encrypt files sent electronically or placed on disks and the allowance of access to information by unauthorized personnel are among the VAs security violations. And although federal privacy security policies are based upon the Privacy Act of 1974 and the 2002 Federal Information Security Management Act, along with further legislation pending, it remains up to employees to adhere to policies and procedures, no matter how many more are put in place.
Due to the interconnectivity of massive federal agencies it becomes even more necessary for diligence in protecting data and computer systems. In fact, had not the employee who took the laptop reported the theft, there would have been no way for the VA to have known of the breach of information. Yet, given each agencys own policies in place concerning data protection the differences in practice are wide ranging. The Senate is looking to centralize such data protections not only within an agency but federally, as well as requiring notifications to those whose information has been breached. Such notification presently is only required by a handful of states and with respect to the financial industry or data credit brokers only.
It is however important to note other cases of security breaches within the VA over the past few years. In April 2006 military computers containing personnel records were found being sold at a bazaar outside a U.S. military base in Afghanistan. In September 2005, thieves stole personnel information on deployed soldiers from Fort Carson, CO. Records on more than 560,000 troops, veterans and dependents was stolen in December of 2002 from computers at a healthcare provider located in Arizona. All such data was in unencrypted databases. In addition, military personnels physical papers and IDs have been stolen from military personnel outside of as well as within the VA.