Monday, May 22, 2006

VA Employee Losses 26.5 million Veteran SSNs.

Wow now this is a serious breach of security.

Thieves took sensitive personal information on 26.5 million U.S. veterans, including
Social Security numbers and birth dates, after a Veterans Affairs employee improperly brought the material home, the government said Monday.


The information involved mainly those veterans who served and have been discharged since 1975, said VA Secretary Jim Nicholson. Data of veterans discharged before 1975 who submitted claims to the agency may have been included.

Now this is a serious boneheaded error that they should get to the bottom of. This information is as good as gold to identity theft types who could go after vets to file false claims, open credit card accounts, and a whole list of nefarious things. This is the reason why it all went down:

Nicholson declined to comment on the specifics of the incident, which involved a midlevel data analyst who had taken the information home to suburban Maryland on a laptop to work on a department project.

The residential community had been a target of a series of burglaries when the employee was victimized earlier this month, according to the FBI in Baltimore. Local law enforcement and the VA inspector general were also investigating.

In other words some idiot brought home a copy of something like the master data file on their laptop so they could do some project that they are too lazy to do at work. The idea of such a data file existing in a non-encrypted form that would be able to move to a laptop is mind boggling. There was no VPNing to the .mil Dbase to access this information or anything like that. Hell, even if that person GoToMyPCed into their work computer it would have been less of a security threat.

Then to add insult to injury this idiot lives in a high crime neighborhood and gets the laptop pinched. No laptop lock or any other physical security for the thing at all. I really think they should overhaul the VAs entire computer security setup. If 26.5 million customer accounts for a bank were lost then there would be a run on that bank and maybe the CEO would have to resign. This screw-up should be no different.

No comments: