In a shocking illustration of the truism that more integrated databases make for larger and more lucrative honeypots/ disaster magnets, the data of approximately 26.5 million US veterans was stolen recently. A Veterans' Affairs employee disregarded security protocols and took a laptop with sensitive data home, then the laptop was taken during a burglary at the employee's residence. Information stolen included the veterans' Social Security numbers, birthdates and in some cases a disability rating.
Using this information, sophisticated criminals could obtain credit reports, bank and credit card accounts and place of residence information to complete many or all of the requirements for identity theft. That in turn enables all kinds of fraud schemes that can do irreparable damage to individuals' credit ratings and finances.
Identity theft has become a serious problem in the USA. America has far fewer limits concerning the private or public collection, trade and custody of individuals' personal data, and there is little apparent liability for its misuse or associated negligence. The Direct Marketing Association and credit lobbies have been very effective, and consumers have been big, big losers in the bargain. This is just the latest of a series of major incidents, and it is unusual only in that it is an entirely public sector SNAFU.
Unfortunately, this particular incident has been compounded by questionable official actions...
The systems in question have been the subject of critical Inspector General security reports since 2001. Worse, Veterans' Affairs was notified of the potential problem immediately, but reportedly waited almost 2 weeks to contact law enforcement.
The US Senate and House Veterans' Affairs Committees will both be holding hearings on the data theft over the next little while. Expect a lot of shouting. Which, in this case, seems eminently justified.
Meanwhile, a Veterans' Affairs agent told Federal Computer Weekly that veterans need to monitor credit card activity and check with credit reporting agencies in order to spot identity theft. If it does occur, veterans should file a police report as well as a report to the Federal Trade Commission's identity theft Web site. Rep. John Salazar [D-CO] has even introduced legislation on May 23, 2006 to provide free credit monitoring and credit reports for veterans and others affected, plus appropriate notification procedures if a theft occurs.
Folks who are truly serious about helping out here might consider pushing for serious reform - which would include major reforms to a credit agency process that is anything but transparent, and deliberately consumer hostile when it comes to disputes, challenges, etc. It's precisely because of this stacked nature that identity theft is such a nightmare, and its consequences so lasting. For all the kerfuffle about the bankruptcy bill last year, the most significant ground for a reform that would truly help a lot of low-income people lies right here. Just don't expect much help from the Morans of the world [D-MBNA]....
Just a little wording suggestion. In the information security community referring to a computer/system as a "honeypot" means that it's actually a trap. People set up honeypots for the purposes of letting people hack into them to capture information about the attack.
So to say that systems like this make for lucrative honeypots is sort of an oxymoron based on the industry's terminology.
The term has slid that way, and in fact Winds is part of an effort called "Project Honeypot."
The thing about large databases is that they are BOTH kinds of honeypot - attractive targets, and if cards are played correctly, also a good potential trap for would-be thieves.
Given the ramifications of actual breaches, however, the tradeoff of snare potential vs. disaster potential often does not favour the public interest.
It's still early to implement this but not too early to suggest it -- just issue new SSN's to those vets affected. Long gone are the days of paper records and the headaches of cataloguing, linking archiving and recalling two separate records. Linking the two should be fairly straightforward.
I will concede there is more to this effort than the above. In addition to the various businesses that require/rely on the numbers having to ramp-up and pay the cost to address coordination issues, the internal IRS and SS databases would likely have to be modified to accept this new feature.
To tell the truth, I think it will come to this eventually. ID theft will not go away and neither will security breaches and human error. That there is also the possibility a massive ID theft could be used by terrorists to disrupt the economy, only adds to the problem's potential.
It would be nice to see this possibility thought through more thoroughly but just thinking it's a possibility would relieve my frayed nerves if I was one of those who personal information was lost and cannot do much but wait to see if hammer drops on me.
It is of my opinion that any government employee, be they State or Federal, and no matter what department, who commits gross negligence such as this, should serve jail time. (From what I've seen and heard, this doesn't happen now. Correct me if I'm wrong.)
I work as a contractor for the federal government and these guys just don't get it. No matter how many horror stories we see in the news, no matter how many times we make them take security training, they continue to be negligent, especially when it requires effort to not be. And when they're not being negligent, they're being careless. It's of my opinion that only a real threat to their personal freedom will get them to shape up.
I also could take about an hour and rant about the fact that government employees are allowed to unionize and how stupid I think that is, but that's obviously a different topic. Slightly related in that I think the attitude of invulnerability because of the union leads to this negligent and careless behavior, but certainly not completely on topic. ;)
Joe,
As part of anti-immigration efforts every employer and employee in America will need to be in a government data base.
The anti-immigration efforts will turn a small cut into a gaping wound.
And most folks can't wait to punish the Mexicans.
Reminds me of the story of the genie who offered an American a wish provided his Mexican neighbor got double what he asked for. The American was no fool. He told the genie “poke out one of my eyes.”
http://powerandcontrol.bl*gspot.com/2006/05/i-had-dream.html
Did I mention that initial tests with 3,600 employers had a 15% failure rate?
If the discrepancies can't be resolved you lose your job and your ability to work.
Never fear. In the bill as proposed Congress has granted the government immunity from class action suits. It seems like even Congress is expecting a disaster.
Canadian gun registry ring a bell?
Alarm bells are ringing. Congress ties down the safties. Way cool.