Government Hit by Rash of Data Breaches
The government agency charged with fighting identity theft said Thursday it
had lost two government laptops containing sensitive personal data, the latest
in a series of breaches encompassing millions of people.
The Federal Trade Commission said it would provide free credit monitoring for
110 people targeted for investigation whose names, addresses, Social Security
numbers -- and in some instances, financial account numbers -- were taken from
an FTC attorney's locked car.
The car theft occurred about 10 days ago and managers were immediately notified.
Many of the people whose data were compromised were being investigated for possible
fraud and identity theft, said Joel Winston, associate director of the FTC's
Division of Privacy and Identity Theft Protection.
"Basically these were attorneys who were going to file a lawsuit, and
they had relevant evidence on their laptops," Winston said, noting that
the FTC employees did not violate security procedures by storing the password-protected
laptops in their cars.
"We will be reassessing what procedures we have to make sure reasonable
measures are taken to protect data," he said.
The disclosure comes amid a widening data breach that is expected to cost the
government hundreds of millions of dollars. In all, five government agencies
have reported data theft, including the Veterans Affairs Department, which on
May 22 acknowledged losing data on up to 26.5 million veterans.
-- At the Agriculture Department, a hacker who broke into the computer system,
obtaining names, Social Security numbers and photos of 26,000 Washington-area
employees and contractors. Victims will be offered free credit monitoring for
a year after the break-in in early June.
-- At Health and Human Services, personal information for nearly 17,000 Medicare
beneficiaries may have been compromised in April when an insurance company employee
called up the data through a hotel computer and then failed to delete the file.
-- At Energy, Social Security numbers and other data for nearly 1,500 people
working for the National Nuclear Security Administration may have been compromised
when a hacker gained entry to its computer system last fall. Officials said
June 12 they had learned only recently of the breach.
On Thursday, a House panel was cautioned that credit monitoring alone may not
be enough to protect Americans whose names, birth dates and Social Security
numbers were compromised at the hands of the government.
"The worst-case scenario is that the veterans file finds its way to a
public distribution source, such as the Internet," said Mike Cook, a co-founder
of a company specializing in data breaches.
"If this happens, the stolen identities will lose their connection to
the VA data breach and groups of fraudsters might actively trade that data among
the fraud community," he said. "More people might have access and
could misuse those identities on a grander scale."
The Senate Appropriations Committee approved $160 million in emergency funds
for credit monitoring for veterans on a 15-13 vote; some Republicans objected
because the VA has said it can use existing funds to pay for credit checks.
"I don't think it's acceptable to tell our veterans we lost your personal
information, and by the way, we're going to cut your health care to pay for
it," said Sen. Patty Murray, D-Wash., who sponsored the amendment to an
agriculture spending bill.
On Wednesday, the VA announced it would provide free monitoring for a year,
taking responsibility after the data was stolen from a VA employee's home in
suburban Maryland. The VA said it would also hire a contractor to do data analysis
to help pinpoint identity theft; the agency, however, did not offer specifics,
saying it wanted to see what bids they receive.
Noting "it's not going to be cheap," VA Secretary Jim Nicholson pledged
not to take the money from current VA programs. So far, the department has already
spent $14 million to set up a call center and notify veterans by letter, and
it's spending an additional $200,000 a day to maintain the call center.
During the House hearing Thursday, Cook said identity theft victims typically
don't become aware they've been hurt until six months after their data was stolen,
when creditors come calling for money owed. At that point, it's likely the thieves
will have moved on -- having made just a few purchases so they don't attract
notice -- and started using another victim's information.
As a result, a credit monitoring service would raise a red flag after it was
too late, Cook said. He said data analysis technology was available to help
identity theft as it occurs, particularly in the typical cases in which thieves
use stolen identities to fraudulently obtain credit cards and then make purchases.
Rep. Steve Buyer, chairman of the House Veterans Affairs Committee, said he
believed the VA and Congress should consider additional safeguard measures --
even if it means costing taxpayers more.
"The concern is, are we creating a false expectancy -- that if the VA does
credit monitoring, I am safe?" said Buyer, R-Ind. "I still have great
There have been no reports of identity theft so far from the VA data breach,
one of the nation's largest. But Nicholson acknowledged this week that authorities
-- who believe the burglars were not specifically targeting the sensitive data
-- are nowhere close to apprehending those responsible.