The New York Times
Veterans Chief Voices Anger on Data Theft
By DAVID STOUT
WASHINGTON, May 24 — Jim Nicholson, the secretary of veterans affairs, expressed outrage Wednesday over being kept in the dark about the theft of computer data on 26.5 million veterans as he himself came under heavy criticism from Capitol Hill.
Mr. Nicholson issued a statement vowing "a very extensive review of individuals up and down the chain of command" and urging the inspector general's office at the Department of Veterans Affairs to expedite an investigation of the affair.
An administration official who has followed the episode said Mr. Nicholson was not told about the missing data until the night of May 16, or 13 days after the disks containing the data were stolen in a burglary at the home of a department employee.
The disks held the names, Social Security numbers, dates of birth and other data on legions of veterans discharged from the mid-1970's onward, and their loss has set off widespread concerns that the information could be used in credit card frauds and other crimes linked to identity theft.
Mr. Nicholson said he was "outraged at the loss of this veterans' data and the fact an employee would put it at risk by taking it home in violation of our policies." He added, "I am also concerned about the timing of the department's response once the burglary became known."
"Upon notification, my first priority was to take all actions necessary to protect veterans from harm and to assist in law enforcement efforts," Mr. Nicholson said. The official who said that Mr. Nicholson had not been informed for 13 days said the secretary had called the Federal Bureau of Investigation once he learned of the theft, then ordered his own agency to set up Web sites and a toll-free number to handle an anticipated flood of queries.
Once the breach was announced on Monday, calls began to pour in. An agency spokesman, Matt Burns, said the department received 25,491 calls on Monday and 58,818 on Tuesday. The call center can handle up to 260,000 telephone queries a day, he said.
It was not clear on Wednesday who had finally notified Mr. Nicholson of the data breach and how many people in the department knew about it before the secretary was told.
Mr. Burns said he could provide no new information on the employee who had taken the computer disks home. He has been placed on administrative leave. A spokesman for the Montgomery County police in Maryland, Lt. Eric Burnett, said his department was not releasing information on the burglary and the ensuing investigation.
The veterans agency has emphasized that there is no sign that any of the data has been used in criminal acts. But lawmakers were not mollified by those assurances, or by Mr. Nicholson's pledge to get to the roots of the affair.
"This is a serious breach that raises troubling questions about the management of the Department of Veterans Affairs," said Senator Patrick J. Leahy, Democrat of Vermont. In view of the delay in disclosing the loss, President Bush should think about finding a new veterans secretary, Mr. Leahy said.
The senator, known as one of the more computer-handy members of Congress, said Mr. Nicholson "needs to answer why this information was left vulnerable to such a breach."
Mr. Nicholson will face questioning on Thursday, before a joint hearing of the Senate's Veterans Affairs and Homeland Security committees.
"We're scrambling right now to get all the information we can," said Senator Larry Craig, the Idaho Republican who heads the veterans panel. Mr. Craig said he was angry about even a possibility that the missing data was "out in the marketplace today, in the criminal element."
Senator John Kerry of Massachusetts and Representative John T. Salazar of Colorado, both Democrats, have introduced a bill that would provide free credit monitoring for veterans affected by the lapse. "This breach should not have happened in the first place, and someone needs to be fired for it," Mr. Kerry said.
Christopher Wolf, a Washington lawyer with the firm Proskauer Rose who specializes in security issues, said that the veterans department was just one of many federal agencies with lax computer security, and that sabotage might not be the biggest danger. "These things happen because of accidents," he said.
The veterans department began issuing new identification cards late in 2004, with a veteran's Social Security number and date of birth encrypted on a magnetic tape on the back. "Identity theft is one of the fast-growing crimes in the nation," read an accompanying announcement.