[ISN] VA Data in Format Not Widely Used

InfoSec News isn at c4i.org
Fri Jun 2 01:16:29 EDT 2006


By Christopher Lee
Washington Post Staff Writer
June 1, 2006

The sensitive personal information of 26.5 million veterans that was
stolen from a Department of Veterans Affairs data analyst last month
was stored in a format that could make it difficult for thieves to
use, according to an internal VA memo.

In the May 5 memo, VA privacy officer Mark Whitney wrote that the
critical data "may not be easily accessible" because most of it --
including names, birth dates and Social Security numbers -- was stored
in a specialized, standard format used for data manipulation and
statistical analysis.

The format "requires specialized application software and training" to
write computer code "to access and manipulate the data for use,"  
Whitney wrote in the memo, obtained yesterday by The Washington Post.

Ari Schwartz, deputy director of the nonprofit Center for Democracy
and Technology, a privacy group, said Whitney is generally right that
the information would be hard to extract.

It would be easier, however, if the laptop stolen along with an
external hard drive and several data disks has the software needed to
view the data, he said. "This is not nearly the type of protection
they would have had if they had followed basic security procedures and
encrypted this," Schwartz said.

The Whitney memo, dated two days after the burglary at the analyst's
Aspen Hill home and distributed to several high-ranking VA officials,
provides the first public indication that some addresses and telephone
numbers were among the stolen data; it refers to such information
being part of electronic files of a national survey of about 20,000
veterans in 2001.

Also stolen was an electronic spreadsheet with 6,744 records about
"mustard gas veterans" -- generally, veterans who took part in
chemical warfare tests during World War II. Another stolen file
contains as many as 10 diagnostic codes from the treatment file of one
veteran who visited the VA health-care system on 57 dates.

"These type of data contain more than limited financial information,
the codes contain information about veterans' medical conditions,"  
Rep. Bob Filner (D-Calif.) said in a statement. "It is not appropriate
for this information to ever enter the public domain."

Matthew Burns, a VA spokesman, said the department has been "focused
on getting notification to veterans that some of the most sensitive
data was out there."

Also yesterday, VA Secretary Jim Nicholson announced that he had named
Richard M. Romley, a former prosecutor from Maricopa County, Ariz., as
his new special adviser for information security. Romley, a Marine
Corps veteran, will evaluate the department's computer security
procedures and recommend improvements.

The move follows the resignation last week of Michael H. McLendon, a
VA deputy assistant secretary who learned of the May 3 burglary within
hours of the crime but did not immediately tell top-ranked officials.

Nicholson announced Tuesday that the employee will be fired and that
Dennis M. Duffy, who has been acting assistant secretary for policy
and planning, had been placed on administrative leave. The employee
worked in McLendon's office, and Duffy was in charge of the division
in which both worked.

Nicholson learned of the information breach on May 16 and told the
public on May 22, nearly three weeks after the crime.

© 2006 The Washington Post Company

More information about the ISN mailing list