News Stay informed about the latest enterprise technology news and product updates.

Security Blog Log: The bright side of the VA data theft

Is there a silver lining in the cloud that hangs over millions of veterans whose data was recently compromised? Some security bloggers think so.


Security Blog Log
For the 26.5 million U.S. veterans whose personal information was stolen last week, it's probably hard to see a silver lining in the cloud of uncertainty now hanging over them. But according to some security bloggers, there really is a bright side.

The U.S. Department of Veterans Affairs confirmed May 22 that records for every veteran discharged from the military since 1975 were stolen from the home of an agency employee. The records contained the names, Social Security numbers and dates of birth of the veterans and some spouses.

But Pete Lindstrom, research director of Spire Security LLC in Malvern, Penn., suggested in his Spire Security Viewpoint blog that there's a "finite limitation" to the number of Social Security numbers that may actually be used for fraud. For one thing, he said, it takes considerable work to "monetize" Social Security numbers. He added credit card numbers, on the other hand, are more likely to be used for quick-hit acts of fraud.

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at

Recent columns:
Uncle Sam slammed over data theft

Blue Security's demise evokes mixed emotions

Data storage bills go to extremes

Given all the work required to convert Social Security numbers into financial gains, Lindstrom said it's best for each individual involved to be one of many.

"The larger the number of SSNs stolen, the less likely any individual is to be a victim," he said, since there's no way the thieves can process all 26.5 million records. "So 26.5 million is better than, say, five …"

Lindstrom also took blogs like Emergent Chaos to task for suggesting that 8.9% of Americans are at increased risk for ID theft due to "that fellow" at the VA.

"Sure, the 13% at risk for account takeover from CardSystems was bad, but that was just credit cards. This is about the databases that control our lives," Adam Shostack wrote in the Emergent Chaos blog. "This is horrendous."

Lindstrom said Emergent Chaos and other blogs have engaged in a "baroque and convoluted publicity stunt to create FUD" around the VA data loss. He then offered some perspective, borrowing from a 2003 study (.pdf) conducted by Aegis Group plc's Synovate marketing research group on behalf of the Federal Trade Commission (FTC).

The study concluded that 100% of all Social Security numbers are at risk of use in identity fraud. That being the case, Lindstrom suggested that the latest incident means the affected veterans probably aren't any more likely to be ID theft victims than they already were.

"What I am suggesting is that the absolute level of increased risk is likely very, very, low," he said. "That is, if a typical account has 150,000 people with access and now there are 150,005 (or even 150,100 for that matter), even having an extra 100 people with access is not going to change the risk equation that much."

While it's unfortunate the VA theft happened, he said it's not the end of the world -- yet.

Some other bloggers agreed with Lindstrom's overall assessment, including Mike Rothman, president and principal analyst of Security Incite, an industry analyst firm in Atlanta.

"To be clear, the theft was terrible and I feel for all of the veterans out there that are now at an increased risk," Rothman said in his blog. "But [Lindstrom's blog] correctly indicates that a SSN requires a considerable amount of extra work to 'monetize' it. And there is no way the bad guys can get to all 26 million records."

Rothman added, "I know it seems a bit strange (and certainly wouldn't make a veteran feel any better), but Pete's thinking is correct."

Dig Deeper on Data security breaches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.