Police believe that thieves who stole a laptop and external hard drive from a Department of Veterans Affairs employee were interested in selling the equipment, not harvesting the sensitive personal information it contained, VA Secretary Jim Nicholson said yesterday.
A series of burglaries targeting computer hardware has hit the Aspen Hill area, where the employee lives, Nicholson said. More than a month after the May 3 crime -- which compromised the names, birth dates and Social Security numbers of millions of veterans and active-duty military members -- the FBI and Montgomery County police have no evidence that anyone is using the information to commit fraud or identity theft, he said.
"They believe that these were young burglars whose goal was to get computers and computer peripheral equipment," Nicholson testified before the House Government Reform Committee. "And from other houses, like they did this house, they took a laptop and hard drive, and overlooked other valuable or semi-valuable things. . . . They further think that their MO is to take these things, clean them up -- actually erase them -- and then fence them into a market for college campuses and high schools."
Nicholson cautioned that authorities had no assurances their theory of the crime is correct. And although police have arrested some people in connection with the recent burglaries, serial numbers on recovered computer equipment did not match those of the items stolen from the employee's home, he said.Haven't we all seen enough heist films to know that smart thieves don't spend their loot right away? Why is this any different? How is one month enough to make police think the most likely possibility is that the thieves didn't want the data?
Here's the part that really annoys the hell out of me:
Let's take the second one first. How the hell do you lose a computer on an airplane??? It's an enclosed space that can be thoroughly searched!! Was the IRS employee on Oceanic Flight 815??
The committee hearing examined the VA data breach, the largest in government history, in the context of information security concerns across the federal bureaucracy. The VA theft put at risk the unencrypted personal information of 26.5 million veterans and active-duty military members. But smaller security lapses take place routinely, said Clay Johnson III, deputy director for management at the Office of Management and Budget.
"I'm told that there are dozens of security breaches involving laptops in a year," Johnson said. "None of these involve 26 million, 27 million names. So this is the 100-year storm of security breaches. The magnitude of it is the alarming thing."
He said the key is to minimize the number and impact of data breaches by requiring agencies to tighten enforcement of existing security policies. "It is currently the standard that all sensitive data on laptops be encrypted," Johnson said. "That is the standard. It's just not enforced."
Despite assurances yesterday of stringent security policies from officials with the Internal Revenue Service and the Social Security Administration, both agencies have suffered smaller-scale breaches in recent months.
Early last month, an IRS employee lost an agency laptop on an airplane; it contained unencrypted names, birth dates and Social Security numbers for 291 workers and job applicants, agency officials said this week.
An SSA employee's personal laptop computer containing Social Security numbers and other sensitive information for 200 people was recently stolen at a conference the employee was attending, William E. Gray, a deputy commissioner at the agency, said in written testimony yesterday. [Emphases added.]
As for the fact that the encryption of all sensitive data on government laptops is the standard, but is not enforced, let's start with immediately terminating the employment of anyone who doesn't meet this "standard," along with their supervisors. And let's make the failure to properly encrypt sensitive files a felony (I'm assuming it's not already) and prosecute it to the full extent of the law. Maybe that'll get the point across.
It takes me thirty seconds to encrypt a Word document, and it doesn't take that much longer to encrypt a database. If you can't be bothered to take the simple steps required to keep information about American citizens safe, you shouldn't work for American citizens. Taking home your work is understandable, and with modern encryption methods it can be perfectly safe (assuming it's not the NSA that steals it), but - and here's the tricky part - encryption doesn't work if you don't use it.
Here's my nominee for Intellectual Giant of the Week:
Rep. Gil Gutknecht (R-Minn.) said media accounts had blown the VA data theft out of proportion. "So far, there's no evidence that any of these people have actually sustained any real damage," he said.The nerve of people to make a big scene about the theft of the personal information of 26.5 million veterans. Don't misunderstand me: I get that Rep. Gutknecht has more important things to deal with, like stopping homos from getting hitched or protesting the serving of warrants on corrupt Congressmen But that aside, it's not possible to blow this out of proportion. Even if the cops' new theory is right and the computer's been wiped (and this assumes it's been securely wiped, by the way), it's the fact that this theft was even possible that has to be dealt with swiftly and severely.
Hello, China? This is the US. Just wanted to give you a heads up that one of our nukes that was aimed at Beijing somehow got loose. But don't worry about it: there's no evidence it's gonna actually hit Beijing: in fact, we now believe that it was never armed, and we further think that it's gonna end up splashing harmlessly in the ocean anyway. Excuse me? Hey, look, don't blow this out of proportion. After all, there's no evidence that any residents of Beijing have actually sustained any real damage, right? What's that? Nah, since nobody's been hurt so far I don't think we should worry too much about it.
(Via fellow vet Gun Toting Liberal, who as usual ain't havin' none of it.)