http://www.washingtonpost.co
m/wp-dyn/content/article/2006/05/31/AR2006053102000.html
By Christopher Lee
Washington Post Staff Writer
June 1, 2006
The sensitive personal information of 26.5 million veterans
that was
stolen from a Department of Veterans Affairs data analyst
last month
was stored in a format that could make it difficult for
thieves to
use, according to an internal VA memo.
In the May 5 memo, VA privacy officer Mark Whitney wrote
that the
critical data "may not be easily accessible"
because most of it --
including names, birth dates and Social Security numbers --
was stored
in a specialized, standard format used for data manipulation
and
statistical analysis.
The format "requires specialized application software
and training" to
write computer code "to access and manipulate the data
for use,"
Whitney wrote in the memo, obtained yesterday by The
Washington Post.
Ari Schwartz, deputy director of the nonprofit Center for
Democracy
and Technology, a privacy group, said Whitney is generally
right that
the information would be hard to extract.
It would be easier, however, if the laptop stolen along with
an
external hard drive and several data disks has the software
needed to
view the data, he said. "This is not nearly the type
of protection
they would have had if they had followed basic security
procedures and
encrypted this," Schwartz said.
The Whitney memo, dated two days after the burglary at the
analyst's
Aspen Hill home and distributed to several high-ranking VA
officials,
provides the first public indication that some addresses and
telephone
numbers were among the stolen data; it refers to such
information
being part of electronic files of a national survey of about
20,000
veterans in 2001.
Also stolen was an electronic spreadsheet with 6,744 records
about
"mustard gas veterans" -- generally, veterans
who took part in
chemical warfare tests during World War II. Another stolen
file
contains as many as 10 diagnostic codes from the treatment
file of one
veteran who visited the VA health-care system on 57 dates.
"These type of data contain more than limited
financial information,
the codes contain information about veterans' medical
conditions,"
Rep. Bob Filner (D-Calif.) said in a statement. "It is
not appropriate
for this information to ever enter the public domain."
Matthew Burns, a VA spokesman, said the department has been
"focused
on getting notification to veterans that some of the most
sensitive
data was out there."
Also yesterday, VA Secretary Jim Nicholson announced that he
had named
Richard M. Romley, a former prosecutor from Maricopa County,
Ariz., as
his new special adviser for information security. Romley, a
Marine
Corps veteran, will evaluate the department's computer
security
procedures and recommend improvements.
The move follows the resignation last week of Michael H.
McLendon, a
VA deputy assistant secretary who learned of the May 3
burglary within
hours of the crime but did not immediately tell top-ranked
officials.
Nicholson announced Tuesday that the employee will be fired
and that
Dennis M. Duffy, who has been acting assistant secretary for
policy
and planning, had been placed on administrative leave. The
employee
worked in McLendon's office, and Duffy was in charge of the
division
in which both worked.
Nicholson learned of the information breach on May 16 and
told the
public on May 22, nearly three weeks after the crime.
© 2006 The Washington Post Company
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|