Friday, May 26, 2006

Veteran Data Was Removed Routinely, Official Says

The New York Times
Veteran Data Was Removed Routinely, Official Says

WASHINGTON, May 25 — Officials of the Veterans Affairs Department told angry lawmakers on Thursday that an agency employee had been taking home sensitive data for three years before some of the material was stolen from his residence, compromising the records of 26.5 million veterans.

"He said that he routinely took such data home to work on it, and had been doing so since 2003," George J. Opfer, the department's inspector general, told senators, some of whom expressed amazement at how the department has handled the theft.

Because the data included Social Security numbers and birth dates as well as names, there has been widespread concern that the information could be used by computer-handy criminals for credit card fraud and other forms of identity theft.

Secretary Jim Nicholson said 105,753 calls had been logged from Monday, when his agency set up a special toll-free information line, to Wednesday night.

Mr. Nicholson said he believed computer security had lagged at the agency, which he has headed for just over a year, because of past "embedded cultural resistance" to change.

That inertia is beginning to dissolve, he told a joint hearing of the Veterans Affairs and the Homeland Security and Government Affairs Committees.

"But I'm not going to tell you it's what it should be," he replied to a question from Senator Susan Collins, the Maine Republican who heads the homeland security panel.

Mr. Nicholson said that just sending letters to veterans whose data was compromised — those discharged since 1975, plus some veterans getting disability compensation — would cost $11 million to $12 million. He did not specify how much the agency expected to spend on telephone banks, Web sites and other measures, but Senator Patty Murray, Democrat of Washington, said she expected him to have to ask for more money.

"This responsibility rests on me," Mr. Nicholson told the senators, who greeted him warmly and seemed angry not at him but at the bureaucracy of the 235,000-employee veterans agency, which has been criticized by its own inspector general's office several years in a row for inadequate data security.

It seemed possible from exchanges between Mr. Nicholson and members of the committees that the full dimension of the current data breach, which came about because an agency employee's suburban house was burglarized after he took the data home without authorization, might not yet be known.

Ms. Murray, who sits on the Veterans Affairs Committee, posed this question: Suppose letters are sent to veterans who have already died and then returned unopened; could spouses or other relatives be vulnerable?

"That's a good question," Mr. Nicholson replied. "We'll have to look at that."

Moreover, he said that the data on some veterans included "numerical disability ratings and the diagnostic codes which identify the disabilities being compensated," enough knowledge for some unauthorized people to compute compensation payments.

Mr. Nicholson said the employee who took the data home had broken no law "as near as I can tell," even though he had violated department policy. He said the employee, a data analyst, had been cooperating with the Montgomery County police and the Federal Bureau of Investigation.

Mr. Nicholson said he continued to be outraged over the delay between the burglary, on May 3, and the date he learned about it, May 16. Senators Collins and Larry E. Craig, the Idaho Republican who heads the Veterans Affairs Committee, described the time lag as "baffling," "mind-boggling" and "just unbelievable."