By Ann Scott Tyson and Christopher Lee
The Washington Post
WASHINGTON -- Social Security numbers and other personal information
for as many as 2.2 million U.S. military personnel -- including nearly
80 percent of the active-duty force -- were among the data stolen from
the home of a Department of Veterans Affairs analyst last month,
federal officials said Tuesday, raising concerns about national
security as well as identity theft.
The department announced that personal data for as many as 1.1 million
active-duty military personnel, 430,000 National Guard members and
645,000 reserve members may have been included on an electronic file
stolen May 3 from a department employee's house in Aspen Hill, Md. The
stolen data include names, birth dates and Social Security numbers, VA
spokesman Matt Burns said.
Defense officials said the loss is unprecedented and raises concerns
about the safety of U.S. military forces. But they cautioned that
law-enforcement agencies investigating the incident have not found
evidence the stolen information has been used to commit identity
theft.
Pentagon spokesman Bryan Whitman said the loss is "the largest that I
am aware of."
Rep. Lane Evans (D-Ill.) ranking member of the House Veterans' Affairs
Committee, said he was "appalled" at the data breach and called for a
Government Accountability Office investigation into VA information
security practices.
Army spokesman Paul Boyce said, "Obviously there are issues associated
with identity theft and force protection."
For example, the information could be used to find out where military
personnel live, security experts said.
"This essentially can create a ZIP code for where each of the service
members and [their] families live, and if it fell into the wrong
hands, could potentially put them at jeopardy of being targeted," said
David Heyman, director of the homeland security program at the Center
for Strategic and International Studies.
Another worry is that the information could reach foreign governments
and their intelligence services or other entities, allowing them to
target service members and their families, the experts said.
One defense official, speaking on condition of anonymity because of
the sensitivity of the matter, called the potential damage
"monumental."
The revelations significantly increase the potential harm from what
was already one of the larger data breaches in U.S. history. On May
22, the VA disclosed that an external computer hard drive was stolen
from the home of a VA employee and that it contained unencrypted names
and birth dates for as many as 26.5 million veterans who were
discharged after 1975 or submitted benefit claims. It also included
Social Security numbers for 19.6 million of those veterans, VA
officials said.
Initially the VA thought that all of the 26.5 million people affected
were veterans, but a database comparison revealed that they also
included most of active-duty military services as well as more than 1
million members of the National Guard and reserves.
Montgomery County, Md., police released a description Tuesday of the
stolen laptop and its external hard drive because they said it may
have been purchased by someone who does not realize the value of its
content.
"It could have shown up at a yard sale or a secondhand store," police
spokeswoman Lucille Baur said. "This is a time of the year when
parents may be buying computers for kids going to college in the
fall."
Montgomery County police are offering a $50,000 reward for information
that allows authorities to recover the laptop. The laptop is a
Hewlett-Packard model number zv5360us, and the external hard drive is
an HP External Personal Media Drive.
The breach outraged veterans, even more so because senior VA officials
knew about the theft within hours of the crime but did not tell VA
Secretary Jim Nicholson until 13 days later. The 60-year-old analyst,
who had been taking home sensitive data for at least three years
without authorization, has been fired, officials have said. His boss
resigned last week, and another senior VA official is on
administrative leave pending investigations by the FBI, the VA
inspector general and Montgomery County police.
A coalition of veterans groups filed a class-action lawsuit against
the federal government Tuesday, contending that privacy rights were
violated and seeking $1,000 in damages for each affected veteran.
The lawsuit, filed in U.S. District Court in the District of Columbia,
demands that the VA fully disclose who was affected by the theft and
asks a court to prohibit VA workers from using sensitive data until
safeguards are in place.
The VA gets records for every new recruit because active-duty
personnel, National Guard members and reservists are eligible for
certain VA benefits, such as GI Bill educational assistance and a home
loan guaranty program.
"The department will continue to make every effort to inform and help
protect those potentially affected and is working with the Department
of Defense to notify all affected personnel," Nicholson said.
Copyright 2006, Washington Post
Ann Tyson & Christopher Lee (washpost@telecom-digest.org)