more on VA laptop with personal data on 26.5 million vets stolen

[David Farber <dave () farber net>]

Begin forwarded message:

From: Glenn Tenney CISSM CISM <gt_IP060107 () think org>
Date: May 25, 2006 11:59:16 PM EDT
To: Dave Farber <dave () farber net>
Subject: Re: Breaking news: VA laptop with personal data on 26.5  
million vets stolen

( for IP if you wish )

There's a lot of news popping up now about this...  You can get the
"Latest Information on Veterans Affairs Data Security" at
http://firstgov.gov/veteransinfo.shtml

The Rockville, MD polic report can be found at
http://www.firstgov.gov/veterans_reward_offered.pdf


I saw excerpts of the news covering the U.S. Congress asking the head
of the V.A. about this.  The first article below is about this
hearing.  Unbelievable!

I've also included a second article below about how the V.A. is going
to spend $25 Million on just setting up a call center to handle this.


To put some of this in perspective... it's estimated that just
offering credit monitoring for a year would cost at least $10
per person affected; and based on another recent data compromise,
it cost that company $78 per person to deal with that incident.

Assuming that the V.A.  can get that all done for half that of the
commercial sector, that's still over $1 Billion!

The amount of money spent to contain and mitigate a compromise such as
this can be two or perhaps even three orders of magnitude more than
the what it would have cost instead to design and deploy such a system
using security industry best-practices.

--
Glenn Tenney CISSP CISM



 - - - - First of Two Articles - - - -


http://www.nytimes.com/2006/05/25/washington/24cnd-identity.html

May 25, 2006

V.A. Chief Admits to Data Security Problems
By DAVID STOUT

WASHINGTON, May 25 -- Officials of the Veterans Affairs Department
told angry lawmakers today that an agency employee had been taking
home sensitive data for three years before it was stolen from his
residence, compromising the records of 26.5 million veterans.

"He said that he routinely took such data home to work on it, and had
been doing so since 2003," George J. Opfer, the department's inspector
general, told senators, some of whom expressed amazement at how the
department has handled the theft.

Secretary R. James Nicholson said computer security has lagged at the
agency, which he has headed for just over a year, because of past
"embedded cultural resistance" to change.

That inertia is beginning to dissolve, Mr. Nicholson told a joint
hearing of the Veterans' Affairs and Homeland Security and Government
Affairs committees. "But I'm not going to tell you it's what it should
be," he said in response to a question from Senator Susan Collins, the
Maine Republican who heads the homeland security panel.

Mr. Nicholson said that just sending letters to veterans whose data
was compromised -- those discharged since 1975, plus some veterans
getting disability compensation -- will cost $11 million to $12
million.

Mr. Nicholson did not specify how much the agency expects to spend on
telephone banks, Web sites and other measures, but Ms. Collins said
she expected him to have to ask for more money.

"This responsibility rests on me," Mr. Nicholson told the senators,
who greeted him warmly and seemed angry not at him but at the
235,000-employee veterans agency bureaucracy, which has been
criticized by its own inspector general's office several years in a
row for inadequate data security.

It seemed possible from exchanges between Mr. Nicholson and members of
the committees that the full dimension of the current data breach,
which came about because an agency employee's suburban house was
burglarized after he took the data home without authorization, may not
yet be known.

Suppose, Ms. Collins said, that letters are sent to veterans who have
already died, then are returned unopened. Could spouses or other
relatives be vulnerable?

"That's a good question," Mr. Nicholson replied. "We'll have to look
at that."

Moreover, he said that the data on some veterans included "numerical
disability ratings and the diagnostic codes which identify the
disabilities being compensated," enough knowledge for some
unauthorized people to compute compensation payments.

Mr. Nicholson said the employee who took the data home had broken no
law "as near as I can tell," even though he violated department
policy. He said the employee, a data analyst, had been cooperating
with the Montgomery County police and the Federal Bureau of
Investigation.

Mr. Nicholson said he continued to be outraged over the delay between
the burglary, on May 3, and the date he learned about it, May
16. Senators Collins and Larry Craig, the Idaho Republican who heads
the Veterans' Affairs Committee, used adjectives like "baffling,"
"mind-boggling" and "just unbelievable" to describe the time lag.

Mr. Opfer, the inspector general, said none of the employee's
supervisors said they were aware that he took the computer
information, stored on discs, to his home. Mr. Opfer said the employee
was working on a project that involved "manipulating large quantities
of data to address certain policy issues."

Because Mr. Nicholson learned of the burglary 13 days after the fact,
the F.B.I. was also late in learning about it. Mr. Nicholson and
Mr. Opfer both promised to find out who knew what when, and who should
be held responsible for the delay in informing the secretary.



 - - - - Second of Two Articles - - - -

http://www.govexec.com/story_page.cfm?articleid=34176&dcn=e_gvet

VA to shift up to $25 million to handle data theft inquiries

By David Perera
dperera () govexec com
May 24, 2006

The Veterans Affairs Department is prepared to shift up to $25 million
of its fiscal 2006 funding to handle initial costs associated with the
theft of as many as 26.5 million veterans' personal data from an
employee's suburban Maryland home. The overall price tag could climb.

Lawmakers on Wednesday granted VA authority to reprogram up to $25
million to pay for the call center supporting the toll-free number it
has set up in the wake of its Monday announcement that personal
information, including Social Security numbers, of possibly every
living U.S. veteran discharged since 1975 was stolen from the
employee's house. Data on veterans discharged before 1975 but with
claims filed at the agency since, as well as on some veterans'
spouses, also is at risk.

The department had received 84,309 calls as of 10 p.m. Tuesday,
spokesman Matthew Burns said. Call volume more than doubled on the
second day, according to figures he supplied.

Under the authority granted, money to pay for the call center could be
taken from four information technology programs, according to a
congressional source. VA management is uncertain whether all $25
million will be needed to support the call center. But the department
must also shoulder other expenses, including the cost of printing and
mailing notification letters.

About $12 million could be culled from a Veterans Health
Administration program for computer infrastructure and network
management. An additional $1.5 million could come from a Veterans
Benefit Administration project on IT program integrity and data
management. Also, an effort called One VA Eligibility and Registration
could end up losing $4.5 million. The initiative was designed to
ensure that veterans only have to register once with the department in
order to receive all the benefits for which they are eligible.

Lastly, a program to create a common VHA electronic repository for
health records could lose $7 million. The House Appropriations
Committee instructed VA to touch those funds only if the other
reprogrammed funds have been depleted, a congressional source
said. The fiscal 2006 budget for the health record project is only $16
million, so the $7 million would amount almost a 50 percent cut.

The $25 million price tag could prove just the beginning of the
department's expenses associated with the theft, however.

Sen. John Kerry, D-Mass., on Wednesday introduced a bill that would
provide free credit monitoring for all veterans affected by the data
theft. When the Alpharetta, Ga.-based data broker ChoicePoint
disclosed in 2005 that personal information for about 145,000 people
had been sold to criminals posing as a legitimate businessman, the
incident ended up costing the company $11.4 million through June 30,
2005, according to company records. Two million of that was just for
credit reports and credit monitoring for victims.

Both the House and Senate committees on veterans' affairs will hold
hearings on the theft on Thursday morning. Among the topics staffers
say will be discussed is the more than two-week lag time between when
the theft occurred -- May 3 -- and the day the department notified
potential victims.

In a statement released Wednesday, department Secretary R. James
Nicholson said he is "concerned about the timing of the department's
response once the burglary became known." The department is conducting
"a very extensive review of individuals up and down the chain of
command," he said.



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/