The U.S. Department of Veterans Affairs confirmed May 22 that records for every veteran discharged from the military since 1975 were stolen from the home of an agency employee. The records contained the names, Social Security numbers and dates of birth of the veterans and some spouses.
But Pete Lindstrom, research director of Spire Security LLC in Malvern, Penn., suggested in his Spire Security Viewpoint blog that there's a "finite limitation" to the number of Social Security numbers that may actually be used for fraud. For one thing, he said, it takes considerable work to "monetize" Social Security numbers. He added credit card numbers, on the other hand, are more likely to be used for quick-hit acts of fraud.
"The larger the number of SSNs stolen, the less likely any individual is to be a victim," he said, since there's no way the thieves can process all 26.5 million records. "So 26.5 million is better than, say, five …"
Lindstrom also took blogs like Emergent Chaos to task for suggesting that 8.9% of Americans are at increased risk for ID theft due to "that fellow" at the VA.
"Sure, the 13% at risk for account takeover from CardSystems was bad, but that was just credit cards. This is about the databases that control our lives," Adam Shostack wrote in the Emergent Chaos blog. "This is horrendous."
Lindstrom said Emergent Chaos and other blogs have engaged in a "baroque and convoluted publicity stunt to create FUD" around the VA data loss. He then offered some perspective, borrowing from a 2003 study (.pdf) conducted by Aegis Group plc's Synovate marketing research group on behalf of the Federal Trade Commission (FTC).
The study concluded that 100% of all Social Security numbers are at risk of use in identity fraud. That being the case, Lindstrom suggested that the latest incident means the affected veterans probably aren't any more likely to be ID theft victims than they already were.
"What I am suggesting is that the absolute level of increased risk is likely very, very, low," he said. "That is, if a typical account has 150,000 people with access and now there are 150,005 (or even 150,100 for that matter), even having an extra 100 people with access is not going to change the risk equation that much."
While it's unfortunate the VA theft happened, he said it's not the end of the world -- yet.
Some other bloggers agreed with Lindstrom's overall assessment, including Mike Rothman, president and principal analyst of Security Incite, an industry analyst firm in Atlanta.
"To be clear, the theft was terrible and I feel for all of the veterans out there that are now at an increased risk," Rothman said in his blog. "But [Lindstrom's blog] correctly indicates that a SSN requires a considerable amount of extra work to 'monetize' it. And there is no way the bad guys can get to all 26 million records."
Rothman added, "I know it seems a bit strange (and certainly wouldn't make a veteran feel any better), but Pete's thinking is correct."