four articles...June 24, 2006 -- The epidemic of personal data thefts continues at breakneck speed. Yesterday, the Navy announced that Social Security Numbers and dates of birth on 28,000 naval personnel and family dependents were leaked to a publicly-accessible web site. Shortly prior to that announcement, the Department of Agriculture reported the compromise of 26,000 Social Security Numbers and other personal details on 26,000 Agriculture employees. WMR has previously reported that these thefts are part of a covert U.S. intelligence program to steal personal data on Americans and others to populate Total Information Awareness system surveillance databases. Two officials of two U.S. intelligence activities have confirmed the existence of this program but the FBI has been hamstrung by higher authority not to investigate the thefts thoroughly. WMR's June 17 chart on the data thefts has been updated (below).
By HOPE YEN, Associated Press WriterThu Jun 22, 8:07 PM ET
The government agency charged with fighting identity theft said Thursday it had lost two government laptops containing sensitive personal data, the latest in a series of breaches encompassing millions of people.
The Federal Trade Commission said it would provide free credit monitoring for 110 people targeted for investigation whose names, addresses, Social Security numbers — and in some instances, financial account numbers — were taken from an FTC attorney's locked car.
The car theft occurred about 10 days ago and managers were immediately notified. Many of the people whose data were compromised were being investigated for possible fraud and identity theft, said Joel Winston, associate director of the FTC's Division of Privacy and Identity Theft Protection.
"Basically these were attorneys who were going to file a lawsuit, and they had relevant evidence on their laptops," Winston said, noting that the FTC employees did not violate security procedures by storing the password-protected laptops in their cars.
"We will be reassessing what procedures we have to make sure reasonable measures are taken to protect data," he said.
The disclosure comes amid a widening data breach that is expected to cost the government hundreds of millions of dollars. In all, five government agencies have reported data theft, including the Veterans Affairs Department, which on May 22 acknowledged losing data on up to 26.5 million veterans.
• At the Agriculture Department, a hacker who broke into the computer system, obtaining names, Social Security numbers and photos of 26,000 Washington-area employees and contractors. Victims will be offered free credit monitoring for a year after the break-in in early June.
• At Health and Human Services, personal information for nearly 17,000 Medicare beneficiaries may have been compromised in April when an insurance company employee called up the data through a hotel computer and then failed to delete the file.
• At Energy, Social Security numbers and other data for nearly 1,500 people working for the National Nuclear Security Administration may have been compromised when a hacker gained entry to its computer system last fall. Officials said June 12 they had learned only recently of the breach.
On Thursday, a House panel was cautioned that credit monitoring alone may not be enough to protect Americans whose names, birth dates and Social Security numbers were compromised at the hands of the government.
"The worst-case scenario is that the veterans file finds its way to a public distribution source, such as the Internet," said Mike Cook, a co-founder of a company specializing in data breaches.
"If this happens, the stolen identities will lose their connection to the VA data breach and groups of fraudsters might actively trade that data among the fraud community," he said. "More people might have access and could misuse those identities on a grander scale."
The Senate Appropriations Committee approved $160 million in emergency funds for credit monitoring for veterans on a 15-13 vote; some Republicans objected because the VA has said it can use existing funds to pay for credit checks.
"I don't think it's acceptable to tell our veterans we lost your personal information, and by the way, we're going to cut your health care to pay for it," said Sen. Patty Murray (news, bio, voting record), D-Wash., who sponsored the amendment to an agriculture spending bill.
On Wednesday, the VA announced it would provide free monitoring for a year, taking responsibility after the data was stolen from a VA employee's home in suburban Maryland. The VA said it would also hire a contractor to do data analysis to help pinpoint identity theft; the agency, however, did not offer specifics, saying it wanted to see what bids they receive.
Noting "it's not going to be cheap," VA Secretary Jim Nicholson pledged not to take the money from current VA programs. So far, the department has already spent $14 million to set up a call center and notify veterans by letter, and it's spending an additional $200,000 a day to maintain the call center.
During the House hearing Thursday, Cook said identity theft victims typically don't become aware they've been hurt until six months after their data was stolen, when creditors come calling for money owed. At that point, it's likely the thieves will have moved on — having made just a few purchases so they don't attract notice — and started using another victim's information.
As a result, a credit monitoring service would raise a red flag after it was too late, Cook said. He said data analysis technology was available to help identity theft as it occurs, particularly in the typical cases in which thieves use stolen identities to fraudulently obtain credit cards and then make purchases.
Rep. Steve Buyer (news, bio, voting record), chairman of the House Veterans Affairs Committee, said he believed the VA and Congress should consider additional safeguard measures — even if it means costing taxpayers more.
"The concern is, are we creating a false expectancy — that if the VA does credit monitoring, I am safe?" said Buyer, R-Ind. "I still have great fears."
There have been no reports of identity theft so far from the VA data breach, one of the nation's largest. But Nicholson acknowledged this week that authorities — who believe the burglars were not specifically targeting the sensitive data — are nowhere close to apprehending those responsible.
Associated Press writer Libby Quaid contributed to this report.
Thu Jun 22, 10:22 AM ET
A computer hacker may have stolen "personal identity information" for 26,000 current and former Agriculture Department headquarters employees, agency officials said.
USDA announced the security breach shortly before midnight on Wednesday, nearly three weeks after it occurred. It offered one year of free credit-monitoring services to the potentially affected employees.
The agency said that its computer systems were illegally accessed during the first weekend of June. Officials said that at first they thought the personal information was still protected, but now they are not sure the data is safe.
At risk are the names, social security numbers and photos of USDA headquarters employees and contractors. The 26,000 names represent one-fourth of USDA's work force. The information was in the same database as work site information that is open to the public.
USDA said it contacted "appropriate law enforcement agencies" and its inspector general was conducting an investigation as well.
This marks the latest security breach of personal data in the U.S. government. In May, a computer with private data on more than 26 million military personnel was stolen from the home of a Veterans Affairs Department employee.
Visa says ATM breach may have exposed data
By MICHAEL LIEDTKE, AP Business WriterTue Jun 20, 10:13 PM ET
Visa USA on Tuesday confirmed an ATM security breakdown has exposed more consumers to potential mischief, the latest in a long line of lapses that have illuminated the often flimsy controls over the personal information entrusted to businesses, schools and government agencies.
The latest breach dates back to February when San Francisco-based Visa began notifying banks of a security problem affecting a U.S.-based contractor that processed automated teller machine transactions.
Visa, one of the nation's largest issuer credit and debit cards, publicly acknowledged the trouble Tuesday in response to media inquiries prompted by Wachovia Bank's decision to replace an untold number of debit cards issued to its customers.
Charlotte, N.C.-based Wachovia issued the card replacements last week as an antifraud measure, said bank spokeswoman Mary Beth Navarro. She declined to explain the circumstances that triggered the action after several months.
Visa also gave out few details about the incident. Thousands of banks have issued millions of debit cards bearing the Visa logo.
In a statement, Visa said it is working with its member banks and authorities "to do whatever is necessary to protect cardholders."
Under Visa's policy, consumers aren't held liable for any unauthorized purchases made with their cards.
Visa's security headache is hardly isolated.
In recent years, a wide ranges of businesses and bureaucrats have fumbled away Social Security numbers and other sensitive information that could be used to tap into the finances and credit records of unwitting consumers.
In one of the most far-flung breaches to surface so far, the Social Security numbers and other personal information of 26.5 million U.S. military veterans was stolen last month when an employee took some digital data to review at home.
Visa has encountered security problems with other contractors besides the ATM processor that triggered the February alert.
CardSystems Solutions Inc., a payment processor used by both Visa and rival MasterCard International Inc., suffered a lapse that exposed up to 40 million credit and debit card accounts to potential abuse between August 2004 and May 2005. The thieves are believed to have grabbed data from a small fraction of those accounts.
Visa and Wachovia weren't even the only major financial services companies owning up to security breaches on Tuesday.
Equifax Inc., one of the nation's three major credit bureaus, said a company laptop containing employee names and Social Security numbers was stolen from an employee who was traveling by train near London.
The theft, which could affect as many as 2,500 of the Atlanta-based company's 4,600 employees, happened May 29 and all employees were notified June 7, spokesman David Rubinger said.
Employee names and partial and full Social Security numbers were on the computer's hard drive, though Rubinger said it would be almost impossible for the thief to decipher the information because it was streamed together.
"It would be very difficult to link this information and determine they were actual Social Security numbers in the first place," he said.
No other employee information was on the computer, he said, and there was no customer data on the computer.
Equifax's breach was similar to another one involving a laptop containing the Social Security numbers and other personal data of 13,000 District of Columbia employees and retirees.
That computer was stolen last week from the Washington home of an employee of ING U.S. Financial Services, according to officials with the company, which administers the district's retirement plan.
The laptop was not password-protected and the data were not encrypted, officials have said.