[ISN] Stolen VA Laptop and Hard Drive Recovered

InfoSec News isn at c4i.org
Fri Jun 30 12:37:26 EDT 2006


By Christopher Lee and Zachary A. Goldfarb
Washington Post Staff Writers
June 30, 2006

Federal officials yesterday announced the recovery of computer
equipment stolen from an employee of the Department of Veterans
Affairs. They said that sensitive personal information of 26.5 million
veterans and military personnel apparently had not been accessed.

The laptop and external hard drive, stolen May 3 from a VA data
analyst's home in Aspen Hill, contained the names, birth dates and
Social Security numbers of millions of current and former service
members. The theft was the largest information security breach in
government history and raised fears of potential mass identity theft.

VA Secretary Jim Nicholson announced the recovery yesterday during a
hearing of the House Committee on Veterans Affairs.

"Law enforcement has in their possession the laptop and hard drive,"  
Nicholson said. "The serial numbers match. They are diligently
conducting forensic analysis on it to see if they can tell whether
it's been duplicated or utilized or entered in any way, and that work
is not complete. However, they did say to me that there is reason to
be optimistic."

FBI officials and local authorities said at a news conference that a
person who had the laptop contacted U.S. Park Police on Wednesday
after seeing news accounts and notices of a $50,000 reward offered by
Montgomery County police. The devices were recovered in the "general
vicinity" of Aspen Hill, said Chief Dwight E. Pettiford of the Park

FBI Special Agent in Charge William D. Chase, of the agency's
Baltimore office, said it is "way too early" to say whether the person
will get the reward or whether criminal charges will be filed soon.  
FBI spokeswoman Michelle Crnkovich said the tipster is not a suspect.

"A preliminary review of the equipment by computer forensic teams has
determined that the data base remains intact and has not been accessed
since it was stolen," the FBI said in a statement. "A thorough
forensic examination is underway, and the results will be shared as
soon as possible."

Lawmakers hailed the investigative work but said VA still has much to
do to improve data security.

"[T]he basic deficiencies leading to this data loss must be
corrected," Rep. Steve Buyer (R-Ind.), chairman of the Veterans
Affairs Committee, said in a statement. "The history of lenient
policies and lack of accountability within VA management must be

Rep. Lane Evans (Ill.), the committee's ranking Democrat, said in a
statement: "Today's announcement does not relieve the Department of
Veterans Affairs from fixing its broken data security system and
failed leadership."

The theft has proved to be an embarrassing and expensive management
failure for VA. In a series of hearings, lawmakers have criticized
Nicholson for the department's lax security practices and sluggish
response, noting that the secretary was not told of the burglary for
13 days. The incident also has cast light on the department's
consistent ranking near the bottom among federal agencies in an annual
congressional scorecard of computer security.

Pedro Cadenas Jr., the VA official in charge of information security,
resigned yesterday for personal reasons, VA officials said. Earlier, a
high-ranking political appointee was dismissed and a longtime career
manager was forced to retire.

The Bush administration this week asked Congress for $160.5 million to
pay for free credit monitoring for veterans and military personnel. VA
already has budgeted $25 million to create a call center to handle
veterans' questions and to send letters alerting veterans about the
theft. Several veterans groups have filed class-action lawsuits
locally and in Kentucky against the government, seeking $1,000 in
damages per affected veteran.

Initially, VA thought that all of the 26.5 million people affected
were veterans. But a database comparison revealed that the stolen
equipment also contained Social Security numbers and other personal
information for as many as 2.2 million U.S. military personnel,
including 1.1 million active-duty military personnel, 430,000 National
Guard members and 645,000 reserve members.

Nicholson said it is too early to tell whether free-credit monitoring
for veterans is now unnecessary. VA still plans to hire a data
analysis company to monitor whether veterans' identities are being
stolen, he said.

Rep. Bob Filner (D-Calif.) said yesterday that three VA documents
obtained by the Veterans Affairs Committee indicate that the data
analyst was authorized to take a laptop home and use a software
package to access the data. That contradicted Nicholson's previous
testimony that the employee was not authorized to have the information
at home.

"He got all the approvals that he was supposed to have," Filner said.  
"I don't know of a policy that he violated, if you'll tell me one. And
that's the real negligence -- that there were no policies."

Nicholson said he had not seen the documents, and declined to comment
because the career analyst is challenging Nicholson's decision to fire

Tim S. McClain, VA's general counsel, told the panel that one of the
documents did not apply to the laptop that was stolen. He acknowledged
that the other documents granted the analyst access to Social Security
numbers and permitted him to have software at home.

Jim Mueller, commander-in-chief of the national Veterans of Foreign
Wars, applauded the equipment's recovery, but said in a statement that
Nicholson still has much to do to repair the agency's reputation.

"The longer Secretary Nicholson waits to hold people accountable, the
more confidence he will lose in the eyes of America's veterans, their
families, and those who wear the uniform today," he said.

© 2006 The Washington Post Company

More information about the ISN mailing list