Interesting People mailing list archives
more on VA laptop with personal data on 26.5 million vets stolen
From: David Farber <dave () farber net>
Date: Fri, 26 May 2006 01:58:47 -0400
Begin forwarded message: From: Glenn Tenney CISSM CISM <gt_IP060107 () think org> Date: May 25, 2006 11:59:16 PM EDT To: Dave Farber <dave () farber net>Subject: Re: Breaking news: VA laptop with personal data on 26.5 million vets stolen
( for IP if you wish ) There's a lot of news popping up now about this... You can get the "Latest Information on Veterans Affairs Data Security" at http://firstgov.gov/veteransinfo.shtml The Rockville, MD polic report can be found at http://www.firstgov.gov/veterans_reward_offered.pdf I saw excerpts of the news covering the U.S. Congress asking the head of the V.A. about this. The first article below is about this hearing. Unbelievable! I've also included a second article below about how the V.A. is going to spend $25 Million on just setting up a call center to handle this. To put some of this in perspective... it's estimated that just offering credit monitoring for a year would cost at least $10 per person affected; and based on another recent data compromise, it cost that company $78 per person to deal with that incident. Assuming that the V.A. can get that all done for half that of the commercial sector, that's still over $1 Billion! The amount of money spent to contain and mitigate a compromise such as this can be two or perhaps even three orders of magnitude more than the what it would have cost instead to design and deploy such a system using security industry best-practices. -- Glenn Tenney CISSP CISM - - - - First of Two Articles - - - - http://www.nytimes.com/2006/05/25/washington/24cnd-identity.html May 25, 2006 V.A. Chief Admits to Data Security Problems By DAVID STOUT WASHINGTON, May 25 -- Officials of the Veterans Affairs Department told angry lawmakers today that an agency employee had been taking home sensitive data for three years before it was stolen from his residence, compromising the records of 26.5 million veterans. "He said that he routinely took such data home to work on it, and had been doing so since 2003," George J. Opfer, the department's inspector general, told senators, some of whom expressed amazement at how the department has handled the theft. Secretary R. James Nicholson said computer security has lagged at the agency, which he has headed for just over a year, because of past "embedded cultural resistance" to change. That inertia is beginning to dissolve, Mr. Nicholson told a joint hearing of the Veterans' Affairs and Homeland Security and Government Affairs committees. "But I'm not going to tell you it's what it should be," he said in response to a question from Senator Susan Collins, the Maine Republican who heads the homeland security panel. Mr. Nicholson said that just sending letters to veterans whose data was compromised -- those discharged since 1975, plus some veterans getting disability compensation -- will cost $11 million to $12 million. Mr. Nicholson did not specify how much the agency expects to spend on telephone banks, Web sites and other measures, but Ms. Collins said she expected him to have to ask for more money. "This responsibility rests on me," Mr. Nicholson told the senators, who greeted him warmly and seemed angry not at him but at the 235,000-employee veterans agency bureaucracy, which has been criticized by its own inspector general's office several years in a row for inadequate data security. It seemed possible from exchanges between Mr. Nicholson and members of the committees that the full dimension of the current data breach, which came about because an agency employee's suburban house was burglarized after he took the data home without authorization, may not yet be known. Suppose, Ms. Collins said, that letters are sent to veterans who have already died, then are returned unopened. Could spouses or other relatives be vulnerable? "That's a good question," Mr. Nicholson replied. "We'll have to look at that." Moreover, he said that the data on some veterans included "numerical disability ratings and the diagnostic codes which identify the disabilities being compensated," enough knowledge for some unauthorized people to compute compensation payments. Mr. Nicholson said the employee who took the data home had broken no law "as near as I can tell," even though he violated department policy. He said the employee, a data analyst, had been cooperating with the Montgomery County police and the Federal Bureau of Investigation. Mr. Nicholson said he continued to be outraged over the delay between the burglary, on May 3, and the date he learned about it, May 16. Senators Collins and Larry Craig, the Idaho Republican who heads the Veterans' Affairs Committee, used adjectives like "baffling," "mind-boggling" and "just unbelievable" to describe the time lag. Mr. Opfer, the inspector general, said none of the employee's supervisors said they were aware that he took the computer information, stored on discs, to his home. Mr. Opfer said the employee was working on a project that involved "manipulating large quantities of data to address certain policy issues." Because Mr. Nicholson learned of the burglary 13 days after the fact, the F.B.I. was also late in learning about it. Mr. Nicholson and Mr. Opfer both promised to find out who knew what when, and who should be held responsible for the delay in informing the secretary. - - - - Second of Two Articles - - - - http://www.govexec.com/story_page.cfm?articleid=34176&dcn=e_gvet VA to shift up to $25 million to handle data theft inquiries By David Perera dperera () govexec com May 24, 2006 The Veterans Affairs Department is prepared to shift up to $25 million of its fiscal 2006 funding to handle initial costs associated with the theft of as many as 26.5 million veterans' personal data from an employee's suburban Maryland home. The overall price tag could climb. Lawmakers on Wednesday granted VA authority to reprogram up to $25 million to pay for the call center supporting the toll-free number it has set up in the wake of its Monday announcement that personal information, including Social Security numbers, of possibly every living U.S. veteran discharged since 1975 was stolen from the employee's house. Data on veterans discharged before 1975 but with claims filed at the agency since, as well as on some veterans' spouses, also is at risk. The department had received 84,309 calls as of 10 p.m. Tuesday, spokesman Matthew Burns said. Call volume more than doubled on the second day, according to figures he supplied. Under the authority granted, money to pay for the call center could be taken from four information technology programs, according to a congressional source. VA management is uncertain whether all $25 million will be needed to support the call center. But the department must also shoulder other expenses, including the cost of printing and mailing notification letters. About $12 million could be culled from a Veterans Health Administration program for computer infrastructure and network management. An additional $1.5 million could come from a Veterans Benefit Administration project on IT program integrity and data management. Also, an effort called One VA Eligibility and Registration could end up losing $4.5 million. The initiative was designed to ensure that veterans only have to register once with the department in order to receive all the benefits for which they are eligible. Lastly, a program to create a common VHA electronic repository for health records could lose $7 million. The House Appropriations Committee instructed VA to touch those funds only if the other reprogrammed funds have been depleted, a congressional source said. The fiscal 2006 budget for the health record project is only $16 million, so the $7 million would amount almost a 50 percent cut. The $25 million price tag could prove just the beginning of the department's expenses associated with the theft, however. Sen. John Kerry, D-Mass., on Wednesday introduced a bill that would provide free credit monitoring for all veterans affected by the data theft. When the Alpharetta, Ga.-based data broker ChoicePoint disclosed in 2005 that personal information for about 145,000 people had been sold to criminals posing as a legitimate businessman, the incident ended up costing the company $11.4 million through June 30, 2005, according to company records. Two million of that was just for credit reports and credit monitoring for victims. Both the House and Senate committees on veterans' affairs will hold hearings on the theft on Thursday morning. Among the topics staffers say will be discussed is the more than two-week lag time between when the theft occurred -- May 3 -- and the day the department notified potential victims. In a statement released Wednesday, department Secretary R. James Nicholson said he is "concerned about the timing of the department's response once the burglary became known." The department is conducting "a very extensive review of individuals up and down the chain of command," he said. ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on VA laptop with personal data on 26.5 million vets stolen David Farber (May 25)