The data – stolen from the residence of a VA analyst who improperly went home with the information – contained the names, Social Security numbers and dates of birth of any veteran discharged after 1975 and some of their spouses, leaving them at risk for identity theft. However, no health or financial records were included as part of the data.
"It is a mystifying and gravely serious concern that a VA data analyst would be permitted to just walk out the VA door with such information," the Democrats of the House Committee on Veterans Affairs said in a Monday statement. "Further, VA must determine who else has access to this type of information, restrict such access to essential personnel only and enforce that internal restriction."
Committee Chairman Steve Buyer, R-Ind., said in a statement Monday that he expects close cooperation among agencies in the investigation.
"I am deeply concerned that nearly 27 million veterans may be affected by a security breach that could compromise sensitive, personal information. I expect VA’s inspector general and the FBI to work closely together so that we can identify and eliminate the flaws that allowed this leak and prosecute any criminal acts," he said. "I know that VA is taking steps to notify veterans and provide help on consumer identity protection."
The FBI and the VA Inspector General’s Office have launched an investigation into the burglary, which occurred May 3 in Aspen Hill, Va., The Washington Post reported today, citing an anonymous source. Authorities do not believe the burglars targeted the home.
The VA said in a statement: "It is possible that they (the offenders) remain unaware of the information they possess or how to make use of it."
The theft underscores the need for employees to be aware of the value of information, said Jim Ivers, senior vice president of marketing at Cybertrust.
"This breach underscores the breadth of the challenge in securing data and protecting privacy, as it was the human element that became the source of the compromise," he said. "Information security is a very human process, and technology is only one component of the solution. Security is about people, processes and technology, and this unfortunate incident is a perfect example."
About 90 percent of the time companies lose confidential information, it is done accidentally by a well-meaning employee,
Ninety percent of corporate confidential information losses are done by well-intentioned employees, said Ken Rutsky, vice president of worldwide marketing for Workshare, a content security firm that sells risk assessment tools.
"I think this is just another example of how organizations that deal with people’s information need to take privacy and the security of that information very seriously," Rutsky said. "They need to put technologies and business practices in place that educate and empower users to be smart and also protect the organization."
The VA inspector general has criticized the department in the past for shoddy information security practices, particularly in regard to the possibility of cyberattacks, the Washington Post reported.
Acting Inspector General Jon A. Wooditch wrote in a November 2005 report: "VA has not been able to effectively address its significant information security vulnerabilities and reverse the impact of its historically decentralized management approach."
The Washington Post reported VA Secretary Jim Nicholson has ordered all employees to undergo a computer security awareness-training course by the end of June.
The VA plans to send out letters to veterans notifying them of the theft, according to a statement. Veterans also can visit www.firstgov.gov or www.va.gov/opa for additional information, or they can call (800) 333-4636 to learn more about how to protect themselves against identity theft.