Chapell & Associates

Tuesday, May 23, 2006

Personal Data on Veterans Is Stolen

Washington Post - May 23, 2006
As many as 26.5 million veterans were placed at risk of identity theft after an intruder stole an electronic data file this month containing their names, birth dates and Social Security numbers from the home of a Department of Veterans Affairs employee, Secretary Jim Nicholson said yesterday...A career data analyst, who was not authorized to take the information home, has been put on administrative leave pending the outcome of investigations by the FBI, local police and the VA inspector general, Nicholson said.

The Chapell View
I used to live in Los Alamos, NM - a town pretty much centered on Los Alamos National Laboratory, a federal research facility. It was very common for people in the town be working with classified and secure data, and while I lived there, I heard about more than one loss of sensitive data that shut down the lab for days.

In each case, it seemed, it wasn't that the data was accessed by hackers or left unencrypted. An employee would have moved computer disks somewhere, or brought home an unauthorized laptop.

I'm reminded of this because the recent breach at the Department of Veteran Affairs didn't stem from any lack of technological security. No - an employee had taken a laptop home from work in order to finish a project - which was then stolen in a burglary. Unfortunately, it's this simple sort of mistake that can have enormous consequences - whether it's the loss of classified information (as happened in Los Alamos) or more than twenty million sensitive consumer records.

As CNET reports, this data was mostly made up of social security numbers (SSNs) - and is likely the largest theft of SSNs ever. It's pretty clear that SSNs, the basic identifier for many aspects of modern life (medical care, bank accounts, college admissions, et cetera) are becoming more and more at risk. I don't know if I agree with Avivah Litan, a security analyst at Gartner, who is quoted by CNET as saying "One out of seven Social Security numbers is in criminal hands...You can't rely on them anymore." I do know, though, that the risks associated with using SSNs have led some colleges to replace them with generic ID numbers - such as NYU did, after its own breach was caused by an employee error.

So I'm glad to see that the VA is going to require employee training as a result of this breach. It's unfortunate, however, that it took this massive of a breach to cause it - and that previous reports on data security, as cited by the Washington Post, had focused on the threat of someone hacking into VA computer.

Sometimes, all the data security in the world can mean very little without consistent employee training.
posted by Isaac on Tuesday, May 23, 2006

© 2005 by Alan Chapell & Associates LLC