---------------------------------------------------------------------------------------------------------
Requires Free Membership to View
SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!
Michael S. Mimoso, Editorial Director
Bloggers were enraged this week following news that 26.5 million U.S. veterans were put at risk for identity theft after their electronic records were stolen from the residence of a U.S. Department of Veterans Affairs (VA) employee.
The reaction was hardly surprising, given that many security bloggers are veterans themselves.
The department confirmed Monday that the stolen records contained the names, Social Security numbers and dates of birth for every veteran discharged from the military since 1975. At this point, there's no evidence thieves have used the data to commit identity fraud, but that's of little comfort to bloggers like Mike Spinney, a self-described public relations writer, consultant and veteran.
"As a veteran discharged from the U.S. Navy in 1987, this one hits home," he said in his Private Communications blog. "There's a very good chance my information is on the stolen disk. But I'm not here to gripe about the fact that I now have to pay closer attention to my credit records."
Instead, he chastised government institutions for having a "lousy" data protection record. Citing a tally the Privacy Rights Clearinghouse (PRC) has been keeping since February 2005, he noted that by his count, federal agencies have lost the records of more than 668,000 individuals. And that doesn't include incidents involving state government and public colleges and universities. He said security breaches have hit such federal institutions as the Justice Department, Air Force, Marine Corps, Department of Agriculture and the Federal Deposit Insurance Corporation.
"Add this week's 26.5 million veterans and the federal government accounts for at least one third of the 81-plus million data records the PRC says have been compromised since ChoicePoint," Spinney said. "This doesn't mean that Congress has lost its moral authority to draft and enact a federal data protection and notification law, but it does mean that the federal government needs to quickly and forcefully address its own shortcomings with regard to data protection."
Spinney linked to another blog chock full of criticism for Uncle Sam: MSNBC's Red Tape Chronicles. There, MSNBC Internet scam and consumer fraud specialist Bob Sullivan wrote that the victims, who once put their lives on the line for their country, appear to be getting even less compensation than most victims of data theft.
"The support offered to victims by the VA is dwarfed by the support corporate America has offered in similar situations," Sullivan said. "So far, the vets haven't been offered credit monitoring. Instead, the VA is reminding victims that they are entitled to a free copy of their credit report every year, and then basically wishing them good luck."
This is unacceptable for a couple reasons, he said: Vets who've already received their one free peek at credit bureau data this year can't get a free report at AnnualCreditReport.com. "Instead, they have to go through more complicated steps and might end up paying for it."
The Fair Credit Reporting Act was amended last year to provide those in the U.S. with the ability to request a free credit report from each of the three major credit reporting agencies once every 12 months.
"Meanwhile, a single peek at their credit reports today would probably reveal very little," Sullivan said. "Fraudulent accounts can take weeks or months to appear, meaning it would be better to take that one peek in a month or two. But even that's a tepid step at best to spy signs of identity theft after a data leak like this."
He said ChoicePoint Inc., LexisNexis Group and nearly all other commercial entities that have lost data have offered credit monitoring to victims for three, six and even 12 months and that the VA should do the same.
"Anything less is neglectful," he said.
Another veteran, infosecurity expert Martin McKeay, wondered how any government agency could allow an employee to have personal data on so many people stored at home.
"What legitimate reason could anyone have for leaving 26 million records on their laptop?" he asked in his Network Security blog. "I'd like to know exactly why this VA employee thought that taking home a database of this size would be an acceptable business practice."
As a veteran who left the Army more than 17 years ago, he said he's worried about the status of his own information. If the employee wasn't authorized to take the data home, McKeay said the agency must be blamed for lacking the technical safeguards to prevent what happened. The whole affair shows the VA wasn't taking the situation seriously enough, he added.
Other blogs ran straight news stories about the theft and tried to offer worried veterans some guidance. The numbrX Security Beat blog, which keeps an online record of all reported data breaches, directed veterans to a page on the VA Web site where they can hopefully get some questions answered.