Senate hearing: VA data theft should be wake-up call
Panel criticizes agency for waiting three weeks before alerting veterans to security breach
The theft of a Veterans Affairs Department computer and disks containing personal information on 26.5 million veterans should serve as a wake-up call for the entire federal government on the need to protect information, said Sen. Susan Collins (R-Maine), chairman of the Senate Homeland Security Committee, at a hearing today.
Sen. Larry Craig (R-Idaho), chairman of the Senate Veterans Affairs Committee, said safeguarding of personal data should be of concern of every agency in the federal government. Collins added that all federal agencies need to realize that they need to act as careful stewards of the sensitive information they hold on the American public.
Craig said that the VA compounded the potential damage of the theft by waiting 13 days to report it to the FBI, and another week before alerting the public.
That time lag was “pretty unbelievable ….and absurd,” Craig said.
A prepared statement from George Opfer, the VA Inspector General, detailed the steps the agency did, and didn't, take after the theft of May 3. VA Secretary James Nicholson was not informed of the theft until May 16, almost two weeks after it happened, Opfer said.
Opfer said the data analyst, who said he had been routinely taking information home since 2003, had his home burglarized on May 3, and notified local police in Montgomery County, Md., of the theft.
But, Opfer said, it was not until May 10 that the VA had its first inkling that anything had happened. On that date an information security officer (ISO), attending a routine meeting at VA office, heard another ISO mention that a VA employee’s home had been burglarized and that electronic records may have been stolen.
The officer started an investigation, and filed a written report the next day to alert the VA Office of Investigations, Opfer said. On May 12, a criminal investigation was initiated and efforts commenced to identify and interview the employee.
The IG was able to interview the employee on May 15, Opfer said. During that interview the employee said he believed that several electronic files containing veteran information stored on personally-owned computer hardware had been stolen during the burglary.
The employee told investigators that he believed the stolen information included the names, birthdates, and social security numbers of approximately 26.5 million veterans, Opfer said.
The VA IG staff met with the Montgomery County Police Department on May 16 and informed them of the suspected loss of millions of veterans’ private information, Opfer said
Opfer said that the FBI was not notified of the theft until May 17 and the VA did not publicly disclose the theft until this Monday, May 22.
NEXT STORY: NIST offers ID card, reader guidelines