May 22, 2006 2:50 PM PDT

Veterans' data swiped in theft

Personal information belonging to 26.5 million U.S. veterans was seized following the theft of the data from the home of a government employee, according to the U.S. Department of Veterans Affairs.

According to a message posted on the department's Web site on Monday, one of the department's data analysts violated procedure by taking home the information without authorization. The information was stored on a laptop, according to Avivah Litan, a security analyst for research firm Gartner. Law enforcement agencies have launched a search, the department said.

The message also said that besides Social Security numbers, data lost included dates of birth for veterans and some of their wives. The employee whose house was robbed was placed on administrative leave.

The number of Social Security numbers involved means this could be one of the largest thefts of SSNs ever. But in no way is the theft of Social Security numbers uncommon. Just this month, Ohio University announced that data thieves broke into three of the school's computer servers and accessed 200,000 Social Security numbers belonging to students and alumni.

Others who have suffered the loss of such information are the Metropolitan State College in Denver, the U.S. Department of Agriculture, and Los Angeles' Department of Social Services, according to the Privacy Rights Clearinghouse.

Because of the growing number of Social Security number thefts, Gartner has advised businesses to stop relying on SSNs as "the ultimate identifier" of individuals, says Litan, the firm's security analyst.

"If you add up all these thefts, we estimate that one out of seven Social Security numbers is in criminal hands," Litan said. "Or the numbers are in the hands of illegal immigrants or are sitting somewhere in a chat room. You can't rely on them anymore."

The good news for Veterans Affairs is that the crooks may not know what they have.

"It is possible that (the thieves) remain unaware of the information which they posses or of how to make use of it," Veterans Affairs said on the Web site.

Gartner's Litan agrees. Studies have shown that thefts of computers storing sensitive data have resulted in only a small percentage of identity theft, she says. And she added that information on millions of veterans would not necessarily yield much loot.

"Frankly, veterans don't have a lot of money," Litan said. "They aren't typically wealthy people. Criminals aren't going to be taking out 26 million loans (in the names of the veterans whose information was stolen). That's a lot of information, and the thieves have time constraints just like everybody else. They want information on the wealthiest individuals."

See more CNET content tagged:
social security number, Social Security, theft, veteran, Gartner Inc.

15 comments

Join the conversation!
Add your comment
What a way to thank Veterans
What a way to show service men and women thanks after their tours of duty. We can do better than have such a seious breach occur <a class="jive-link-external" href="http://www.iwantmyess.com/?p=61" target="_newWindow">http://www.iwantmyess.com/?p=61</a>

My cousin just came back to Savannah after a tour in Iraq. This is the last thing she or her spouse want to deal with. Getting back to a "regular" life is hard enough to now have to add ID theft to the matter.
Posted by marileev (292 comments )
Reply Link Flag
which is why we need privacy laws
Fortunately I think it's almost certain that the first thing the thief did was wipe the hard disk, most do, followed by the removal of all serial numbers.

The hard disks are wiped so that identifiable data can't be produced, e.g. "that's my laptop, see my emails are on it.."

But that's hardly the point.

What should happen is that the person responsible for the data loss should face sanctions.

If we had decent privacy laws, data retention of this sort would not happen.
Posted by ajbright (447 comments )
Link Flag
What a way to thank Veterans
What a way to show service men and women thanks after their tours of duty. We can do better than have such a serious breach occur <a class="jive-link-external" href="http://www.iwantmyess.com/?p=61" target="_newWindow">http://www.iwantmyess.com/?p=61</a>

My cousin just came back to Savannah after a tour in Iraq. This is the last thing she or her spouse want to deal with. Getting back to a "regular" life is hard enough to now have to add ID theft to the matter.
Posted by marileev (292 comments )
Reply Link Flag
Government ineffectiveness on display
With the FBI and NSA spending billions on encryption software to keep personel lists, plans and other info secret, why can't they spend a small fraction of that amount to encrypt thier data? With the multitude of easy-to-install products out there, you think they could find one encryption product to use. But wait that involves foresight and action, two things government lacks.

It's funny how they are willing to prosecute and fine companies left and right for data security breaches (as well they should). Nut they are not willing to apply those same standards to thier own organizations.
Posted by NSWorldwide (6 comments )
Link Flag
confirmed as laptop theft?
Has anyone confirmed that the data was stolen from a laptop computer?
Posted by amigosito (71 comments )
Reply Link Flag
Pretty sure I am probably on the list
If this ruins my credit I will find out who the guy is responsible for it and use his :)
Posted by Dachi (797 comments )
Reply Link Flag
Staggering lack of respect and decency
This affects our family. It frosts me to think that millions of these veterans dealt daily with classified information, safeguarding it conscientiously because of their own convictions, and also under threat of severe penalty. Then, their own personal data, data that can end up costing some of them their jobs (loss of security clearance due to identity theft), is allowed to be subject to an individual VA employee's carelessness. Why would this information be on a personal computer of any sort, let alone a laptop? What "analysis" would require that information? The military would not tolerate this kind of carelessness in a contractor.

The Gartner Group employee had a lot of nerve. I'm sure Norman Schwarzkopf will be glad to know that he isn't worth enough for someone to steal his money or ruin his reputation.
Posted by LaurieEm (1 comment )
Reply Link Flag
veterans don't have money?
out of the millions of SSN's stolen to date, how many of them are tied to people with money anyhow? the difference between a set of SSN's of a diverse and uncertain group and a set of a known group is that witht he known group you at least have something to go on.

with the veterans' SSN's, there's a good chance most of them receive a regular government check that is direct deposited into a bank account. it's hard enough to get a single SSn of a millionaire, but having 27 million SSN's of a group that has a 10% chance that they get regular guaranteed monthly checks of around $1000 (plus or minus a few hundread) then you potentially have millions. veterans also tend to have better credit than average working class folks, so the value of a veteran's SSN here is being far under stated.
Posted by johnnyis42 (5 comments )
Reply Link Flag
insensitive analyst
I agree, the Gartner analyst, Avivah Litan came off as insensitive when he spoke about data theives going after those with large acocunts. ID theft in mass affects those of us in the median income range most. --Marilee V.
Posted by marileev (292 comments )
Link Flag
don't have tons of money, but I have good credit
I'm probably on the list, serving from '86-'90, and the author is correct, I don't have tons of money. I do have access to quite a bit of credit, though. I worked hard to get where I am, and for the author to dismiss veterans as a bunch of paupers is garbage. Most of the veterans I know work hard for what they have, and for some lackluster government employee to put their futures in jeopardy is criminal, not something that they should be suspended for.
Posted by dgrawe (1 comment )
Reply Link Flag
As A Veteran and a Software Engineer in SillyCon Valley ...
I'm going to join the effort to track down both the miscreant who stole the laptop (and anyone to whom they may sell it if the data is still on it) and the miscreant at the VA who violated regulations and probably some laws. If any of this data winds up being exploited, they are all going to wish that they had tried a different route to Easy Street.

There are millions of veterans who are military retirees, and they certainly have a significant chunk of their income to lose (the largest single line item in the DoD budget is retiree pay, i.e., hundreds of billions of dollars). Disabled veterans get significant amounts of money, the vast majority of which goes toward rehabilitation and related costs (travel, equipment, medical testing material, and on, and on - my father is a 100% disabled WW-II vet, and I've spent my entire adult life paying for expenses not covered by his disability payments, which are substantial).

Every veteran is entitled to up to $359,000 in a no-down-payment loan to buy a home - it doesn't take very many of those loans, acquired through fraud, to add up to a huge amount of money for which the affected veterans wind up on the hook, and when they can't pay, all of the taxpayers foot the bill. When their credit is ruined and the bad loan winds up replicated in thousands of databases, they can wind up on taxpayer-funded subsistence.

There is potentially a huge amount of money involved in exploitation of this data, and the comment that veterans don't make much money is an absolutely falacious assumption, and frankly, perpetuates a completely inaccurate stereotype of veterans being helpless invalids with minimal capacity to achieve anything significant with their lives. About 10 percent of veterans are former officers who all have college educations and another few percent of veterans are current or former enlisted personnel who have used their veterans educational benefits to achieve college education. A disproportionate number of leaders in business and government are veterans who quietly carry on with their personal and professional lives without making a lot of noise about their background. There's a very good reason why business people have long embraced military principle - witness the popularity of Sun Tzu's writings many millenia after his demise, among many more authors with military experience, who have successfully applied it to the business environment.

Being a well-paid professional working in SillyCon Valley, I'm certainly concerned about my personal data falling into the hands of criminals (although, given the cost of living here, good luck to anyone being able to take out a loan, or even get a credit card with a $300 limit, using my name and SSN! :) ). However, I've been routinely amazed at how clever criminals can be, and how stupid the financial sector routinely is. Lethargic would be a benevolent description of the financial sector's ability to react to prevent trouble for their customers. It's apparently all about volume, and individual customers are just crumbs to be swallowed whole and spit out when they encounter trouble, even if it's not their fault (e.g., being victims of identity theft).

The people who made the statement about veterans not having much money, and the "journalists" who allowed it to be perpetuated, need to apologize to hard-working veterans everywhere, who continue to make their way of life and freedom even possible, in the largest public forums that exist.

All the Best,
Joe Blow
Citizen
Guardian
Veteran
Posted by Joe Blow (175 comments )
Reply Link Flag
Money? NO! Honor? YES...well, maybe
Yes, I am one of those vets who owrks hard, mainly to pay my bills. Currently, my savings account has a whopping $ 23.71 in it. However, paying my bills has alsways been a matter of pride to me. The only thing we ever truly own is our word; if you borrow money, then you ought to pay it back.
It is a sad state of affairs that an agency I rely on for healthcare (I can't afford private insurance), supposedly dedicated to veterans, could allow my very honor to be stolen. To think that even as I am writing this, some cretin is probably using my personal info to defraud somebody else is unfathomable. Just as bad, that will eventually come back on me...and I will be obligated to pay money I don't have!
Posted by rrothfeldt (3 comments )
Reply Link Flag
Not suprising about VA
Their lack of security back in the 90's was appalling. IRM and IT employees were telecommunting from home updating the VA DHCP system over dial-up connections. VA employees were taking sensitive information home with them on the Laptops back then. I see that nothing has changed. As a Vet myself, I am deeply concerned about my data being stolen.
Posted by Des Alba (68 comments )
Reply Link Flag
Thought everyone should know that some VA offices are still including your entire social security number as the file number in their correspondence with you. I would have thought they'd have changed that by now.
Posted by lmyatt (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.