Security Blog Log: Uncle Sam slammed over data theft

---------------------------------------------------------------------------------------------------------

The reaction was hardly surprising, given that many security bloggers are veterans themselves.

The department confirmed Monday that the stolen records contained the names, Social Security numbers and dates of birth for every veteran discharged from the military since 1975. At this point, there's no evidence thieves have used the data to commit identity fraud, but that's of little comfort to bloggers like Mike Spinney, a self-described public relations writer, consultant and veteran.

"As a veteran discharged from the U.S. Navy in 1987, this one hits home," he said in his Private Communications blog. "There's a very good chance my information is on the stolen disk. But I'm not here to gripe about the fact that I now have to pay closer attention to my credit records."

About Security Blog Log Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Blue Security's demise evokes mixed emotions Data storage bills go to extremes Are certifications silly?

"Add this week's 26.5 million veterans and the federal government accounts for at least one third of the 81-plus million data records the PRC says have been compromised since ChoicePoint," Spinney said. "This doesn't mean that Congress has lost its moral authority to draft and enact a federal data protection and notification law, but it does mean that the federal government needs to quickly and forcefully address its own shortcomings with regard to data protection."

Spinney linked to another blog chock full of criticism for Uncle Sam: MSNBC's Red Tape Chronicles. There, MSNBC Internet scam and consumer fraud specialist Bob Sullivan wrote that the victims, who once put their lives on the line for their country, appear to be getting even less compensation than most victims of data theft.

"The support offered to victims by the VA is dwarfed by the support corporate America has offered in similar situations," Sullivan said. "So far, the vets haven't been offered credit monitoring. Instead, the VA is reminding victims that they are entitled to a free copy of their credit report every year, and then basically wishing them good luck."

This is unacceptable for a couple reasons, he said: Vets who've already received their one free peek at credit bureau data this year can't get a free report at AnnualCreditReport.com. "Instead, they have to go through more complicated steps and might end up paying for it."

I'd like to know exactly why this VA employee thought that taking home a database of this size would be an acceptable business practice. Martin McKeay,

"Meanwhile, a single peek at their credit reports today would probably reveal very little," Sullivan said. "Fraudulent accounts can take weeks or months to appear, meaning it would be better to take that one peek in a month or two. But even that's a tepid step at best to spy signs of identity theft after a data leak like this."

He said ChoicePoint Inc., LexisNexis Group and nearly all other commercial entities that have lost data have offered credit monitoring to victims for three, six and even 12 months and that the VA should do the same.

"Anything less is neglectful," he said.

Another veteran, infosecurity expert Martin McKeay, wondered how any government agency could allow an employee to have personal data on so many people stored at home.

"What legitimate reason could anyone have for leaving 26 million records on their laptop?" he asked in his Network Security blog. "I'd like to know exactly why this VA employee thought that taking home a database of this size would be an acceptable business practice."

As a veteran who left the Army more than 17 years ago, he said he's worried about the status of his own information. If the employee wasn't authorized to take the data home, McKeay said the agency must be blamed for lacking the technical safeguards to prevent what happened. The whole affair shows the VA wasn't taking the situation seriously enough, he added.

Other blogs ran straight news stories about the theft and tried to offer worried veterans some guidance. The numbrX Security Beat blog, which keeps an online record of all reported data breaches, directed veterans to a page on the VA Web site where they can hopefully get some questions answered.