The VA Data Theft

Our friend Jon Stanley has sent me this letter concerning the risks for veterans in the recent theft of personal data from the Department of Veterans’ Affairs.  He would like to make it clear that he is not in search of clients and offers this as a service to us all.

On behalf of us all, I thank him.

Pat Lang

——————————————————————————————————–

"To Whom It May Concern:

You all know the saying, "on the internet they don’t know you are a dog", or words to that effect. So feel free to take what I am about to share with a grain of salt.

I’m a lawyer and a frequent poster on this blog. Jonst is my handle. My field of expertise is in information security/technology law. One area of law, and/or law breaking you might say, that I am focusing on, is identity theft/misuse. Presently,I’m part of team working on an 18 month long project dealing with ID theft/misuse. The project is funded by the National Institute of Justice which some of you might know is the research and development branch of the US Department of Justice. I have spoken on the topic of ID theft at the annual American Bar Association meeting in 2005 and numerous RSA Security conferences. Last month I was one of three presenters on a national teleconf hosted by the

ABA

on ID Theft. I don’t say all this stuff for self promotion. I say it because I am about to offer people some advice on what I think is an important subject. And if you guys are like me, when someone is offering me advice on something I want to know about, I want to know a bit about their background. This is particularly so when the advice proffered may, at first glance, go against the conventional wisdom.  So there is the ‘bit’.

As many of you know already, a large data base of Veteran’s information is missing from the home of a Veterans Admin employee. Ostensibly, the info was taken during a ‘routine’ burglary. The data taken "…..contained the names, Social Security numbers and birth dates of every living veteran from 1975 to the present, Veterans Affairs Secretary Jim Nicholson said Monday". I believe it is the greatest theft of SSN in our history.  [update: it may be that some pre 1975 Vets were effected. The jury is still out on that}

Veterans, and other relevant parties, are being assured that if all is not exactly well, it is close to well: "Nicholson and Attorney General Alberto Gonzales said there was no indication that the information has been misused" and that this was just a ‘routine burglary’. To me their reaction is like hearing the officer say, "move along folks, there’s nothing to see here.’

I’m going to share some of my thoughts on ID theft with you. Take it for what it is worth. Here goes:

1. First, there is a bustling black/gray market for social security numbers.

http://select.nytimes.com/gst/abstract.html?res=F00E13FF385C0C748CDDAF0894DD404482  and http://www.symantec.com/avcenter/cybercrime/index_page5.html  for example. Let’s do a conservative guess on the value of a valid SSN. Say ten dollars a number. Now, 10 x, again, let’s be conservative, let’s say, there were only 20 million numbers on the medium in question, the hard drive or the external hard drive or both. So, 10 x 20 million. You get the potential prize here that has been stolen? You think this increases or decreases the odds that the wrong info is going to get (or has already gotten) into the wrong hands? So what does it mean when we are assured that there is no indication that the info has been misused? Again, I’ll leave that to the reader. Me? I’m concerned. Not panicked. Indeed, not even overly concerned. But I am concerned. Damn concerned.

2. Again, with regard to the no misuse issue. On average it takes over one year for misuse of a person ID’s to show up. See, among many other sources, statement by J Howard Beales, then, Director of the FTC’s Bureau of Consumer Protection made before the Senate. Commission on the Judiciary,

20 March, 2002

.  And it gets worst. Antidotal evidence is suggesting that it’s possible that organized ID theft rings are ‘warehousing’, or ‘parking’ stolen ID data for use years down the road. The evidence is not strong enough yet for it to be proffered with a sense of certainty. But it is out there, discussed among people on both sides of the law who make their living at this. The argument is; people might be on a heightened sense of alert in the immediate aftermath of a theft of their data (say 2 years) but as time moves on the heightened state of alert is diminished. Hence the supposed parking of data. Aged data if you will. 

3. Here are some sites you can go to that will offer some suggestions as to what course of action you might consider taking if you find out, or suspect, your data has been compromised.

http://www.consumer.gov/idtheft/ 

http://www.privacyrights.org/about_us.htm 

http://www.idtheftcenter.org/index.htm 

There are others as well.

4. Be on the look out for solicitations where they party soliciting seems to know a bit about you .  As in ‘ let me say up front we want to thank you for you x tours in x country. And for your service in the x corps or field artillery.’ You know, stuff like that and then they go on to say ‘ the vet admin is cutting back and this supplemental policy could solve all your woes.  Or this ‘credit card will be the lowest interest in the western world’.  Seriously, these scams can be really slick.

Again, and in conclusion, panic and undue worry are uncalled for. This is a risk management issue. The threat level has gone up somewhat. More than the media is letting on. At least in the first reports. And less than those who might counsel ‘their coming over the walls folks". But I would, at a minimum, start paying a lot of attention, prolonged attention, to my financial statements and records.

I hope that this has been helpful. That was my intention. I will be glad to answer, where I have answers, any follow up questions you might have.

Jon Stanley

Attorney at Law

This entry was posted in Current Affairs. Bookmark the permalink.

10 Responses to The VA Data Theft

  1. Jerry Thompson says:

    Thanks very much.

  2. john pfefiler says:

    Ditto the thanks.

  3. jonst says:

    you guys are welcomed. I really enjoy the people on this blog and I figure more than a few of them are vets.

  4. taters says:

    Valuable info, johnst, good for you. Great point about “phishing” I’ve seen “spoofs” of many agencies and institutions – with the “correct” logo (easy cut & paste job)including the FBI. Forewarned is forearmed.

  5. BillD says:

    Thanks, Jonst. Very good advice.

  6. Eric says:

    Thanks Jonst.

  7. semi-crazy says:

    This happened in ’02 or ’03 as well, a theft from a Tricare building.
    Thanks for the info, Johnst.

  8. jonst says:

    Yes, semi…and there were, and remain, problems for vets from it. But that was a blip (as serious as it was)compared to this. This is a HUGE deal among the infosec crowd I hang with. 26 mil ssn and a ton of information to go with it. The mother lode. I will not be one bit surprised if turns out that the ‘burglar’ knew exactly what he was looking for. Assuming that is, there was a burglar in the first place.

  9. Patrick Henry says:

    Yep…Strange how these type of “Lap Tops”and Data Just Disappear from time to time..
    Reminds me of Robert Hansson and Rick Ames..
    So Much Intrigue..
    In this “Safer World”..
    Strangest Ball game I ever saw..

  10. bud says:

    How expensive would it be to re-issue each lost SSN a new one to the vets (and anyone else who lost it due to government carelessness)? This would make the stolen IDs worthless.

Comments are closed.