VA data files on millions of veterans stolen

Other data security breaches

August 2005
The Air Force notifies more than 33,000 airmen that much of their personal information was stolen from the online Assignment Management System. Air Force Personnel Center officials at Randolph Air Force Base, Texas, alerted service and federal investigators to unusually high activity on a single user's AMS account in June. While the investigation is continuing, AFPC spokeswoman Lt. Col. Michele DeWerth said a malicious user illegally acquired a legitimate user ID and password and used them to gain access to officers' information.

June 2005
In early 2004, someone accessed current and former Federal Deposit Insurance Corporation employee personal data without authorization. That data included names, dates of birth, salaries, Social Security numbers and length of service. In the subsequent investigation, the FBI found that data of all FDIC employees and former employees has been stolen.

February 2005
The Bank of America Corp. lost data tapes containing personal information on 1.2 million federal charge card holders. The bank acknowledged that it could not locate magnetic tapes used for federal credit card accounts.'Jason Miller

(Updated) The Veterans Affairs Department today revealed that personal, identifying data for as many as 26 million American veterans was stolen from a VA employee's home in May.

The information is a list of all veterans who served in the military and were discharged since 1975.

A VA employee took files home as part of department work on a data collation project to simplify some VA processes. Subsequently, someone broke into the employee's home and stole the data.

The career employee, a data analyst, was not authorized to take the files home, said VA secretary Jim Nicholson in a teleconference with reporters.

He would not say what form the data was in.

The data analyst, whom VA would not identify, has authority to access the information for his job but did not follow procedures to safeguard the data. He has been put on administrative leave pending the outcome of the investigation, the secretary said.

'We do have people that telecommute. We have a system of policies and controls that are in place and operating, and this person violated those,' Nicholson said.

The veterans' personal information that was compromised included names, Social Security numbers and dates of birth. The data contained no medical or financial information, but there may be disability numerical rankings, he said.

'Considering the pros and cons of going public, we've decided to come down on the side of making veterans aware. There is no indication that any unauthorized use is being made of this data or that they (the burglars) know that they have it,' he said

The FBI, VA's inspector general and local law enforcement are investigating the theft. Investigators believe the burglary was random and not targeted for the VA information. Several thefts have been reported in the community. The secretary would not pinpoint exactly when the robbery took place, only that it was sometime this month.

Nicholson has taken initial steps inside and outside government to alert veterans and improve data security. He has briefed the co-chairs of the President's Identity Theft Task Force, which is charged with better securing government-held personal data. Attorney General Alberto Gonzales and Federal Trade Commission chairwoman Deborah Majoras lead the task force and he will confer with them today in a previously scheduled meeting.

'This will be the number-one topic,' he said.

Other steps he has taken to alert veterans and tighten security include:
  • VA has established a Web site to inform veterans.
  • VA is notifying veterans, including checking with the Social Security Administration and the IRS for correct addresses.
  • VA will conduct an inventory of those with access to sensitive VA data and possibly ask the FBI for background investigations depending on the level of access and responsibilities.
  • VA will accelerate the requirement that all employees complete a cybersecurity training course to June 30 this year.
  • VA employees will have to sign an annual statement of their awareness of privacy and security responsibilities and consequences of disclosing personal information.


Originally posted at 12:09 p.m. and updated at 3:18 p.m.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above