Veteran’s Administration May Be Engineering Its Next Big Data Breach

In May, the Veterans Administration was forced to announce that a computer containing the names, Social Security Numbers, and other personal information of 26.5 million veterans was missing. The laptop computer had been stolen from the home of a VA data analyst. As bad as the breach was, the VA was able to announce that the computer was recovered last month. Even more important was word that came from the FBI that there was no evidence that the file containing veterans’ information had been accessed. But not so fast. The VA now apparently wants to turn over a copy of the stolen database to a private company, without the permission of impacted veterans.  Based upon this, the only logical conclusion is that FBI is not sure if the computer’s data was actually breached.

 

Shortly after the theft of the laptop, the VA fired the analyst who took it home for violating the department’s security policies. The department also requested $160 million in funding to pay for credit monitoring services for veterans over the course of the next year. But this request was mired in controversy almost from the beginning.

 

First, a federal court judge forbid the VA from actively promoting credit monitoring to veterans. He did this because of a class action suit file against the VA as a result of the data breach. Then once the computer was recovered and the FBI made the announcement that the data on it had not be tampered with, the VA quickly withdrew the credit monitoring offer along with the funding request.

 

Since the breach, there has been a push from within the VA to hire a company to provide “data breach analysis” to the department. The purpose of such a relationship would be to identify weaknesses in data security and to allow the department to know if the stolen data was being used for identity theft. Calls for such a relationship within the VA have not diminished, even with the FBI’s claims.

 

When ACCESS spoke with Matt Burns, a spokesman for the VA, in mid July we were told that a variety of companies would be bidding on the project when the government finally released its RFP (request for proposal). When asked if the company winning the governments bid would be given access to veterans’ data, or a copy of the VA’s database, Burns said that no determination about this had been made yet and that any comments “would be speculative at this point.”

 

But according to Aaron Titus, a data analyst specializing in security matters and head of PrivacyFreaks.org, the type of data breach analysis that the VA wants can only be accomplished if data access is granted to the company winning the bid.

 

Essentially, data breach analysis involves a comparison of data. In this case, the government wants to know if any of the 26.5 million veterans whose names were on the PC ever become victims of identity theft. The only way to find that out is by comparing their data to applications for credit. As Titus put it, “You can’t compare data unless you have something the compare it to.”

 

“They could use a dumbed-down list – shortening Social Security Numbers and using partial names – but this would be less accurate,” Titus said. This method would also provide little help to impacted veterans as it would not identify specific people who had their data stolen and used.

 

Companies that conduct data breach analysis maintain their own consumer databases. One such company which had one of its executives, Mike Cook, testify before Congress in recent hearings is ID Analytics. As it turns out, ID Analytics has now won the VA contract for data breach analysis according to a press release on the company’s website. Because the company has offered to provide its services to the VA for free, it may have contributed to the VA’s decision to withdraw its earlier offer of credit monitoring to veterans.

 

In an interview with ACCESS, Karen Stadelmeier who works for ID Analytics told us that the VA would be providing a copy of the database to the company. In a follow-up interview with Stadelmeier and Mike Cook, we were informed that prior to the data being turned over to the company, they would have to pass a VA security audit.

 

But such an audit may not mean much if it is actually administered by the VA. In the latest Congressional Scorecard on data security, the VA received a failing grade. This calls the legitimacy of any audit conducted by the VA into question.

 

When asked how long ID Analytics would be in possession of the data, Cook wouldn’t give details but he did say that the company’s services would be ongoing and over a long period of time. “Fraudsters are smart,” Cook said. “They know that when companies offer credit monitoring services for a year, then they need to hold onto the information that they have stolen for a year and a day. The key to stopping fraud is to maintain data for a long time and never let the fraudsters know how long you will be monitoring it.”

 

When asked if veterans would be given the opportunity to opt out of having their data included in the monitoring, Cook said that he thought the company would allow this. But he went on to say that it helped to have access to 100% of the data when attempting to find patterns of fraud. Stadelmeier said that the question of whether or not opt-out would be allowed should be directed to the VA.

 

But after our initial phone call with Matt Burns of the VA on July 20, and a follow-up e-mail message asking a number of pointed questions about the program, ACCESS is still waiting for answers. A call to the VA Inspector General’s office directed us back to Burns.

 

The contract with the VA raises a number of troubling issues. Data sharing is widely recognized as one of the primary weak spots in the protection of consumer privacy. Regardless of the security measures taken, any time copies of consumer data are made, there is an increased risk to the consumer. Risk that the data will be lost. Risk that it may be stolen. And risk that it will get mixed up with other data. Data sharing within banking and credit industries is one of the primary reasons that 79% of credit reports have errors in them.

 

The agreement may also violate the Privacy Act of 1974. According to the Department of Justice’s website, the act contains a “No Disclosure Without Consent” rule. This reads, "No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains [subject to 12 exceptions]." 5 U.S.C. § 552a(b).”

 

But the privacy act contains one huge loophole known as “routine uses”; a clause which has become a catch-all for the government and is routinely abused. If the VA declares that contract falls under “routine uses”, the database may be turned over without requiring the agency to obtain consent from affected veterans. But even under these conditions there are still requirements which must be met, including an announcement that must be placed in the Federal Register.

 

It should also be noted that ID Analytics is a registered lobbyist with both the House and the Senate. Eleven pages of written testimony from the company were entered with the Subcommittee on Financial Institutions and Consumer Credit in support of HR 3997. This bill has been referred to as the “Worst Data Bill Ever” by PIRG. If it ever becomes law, a very weak federal standard for consumer notification on data breaches would replace much stricter state laws in 34 states. The may also prevent consumer who have not already become identity theft victims from freezing their credit files; the only known way to prevent identity theft.

 

The testimony attempts to minimize the impact of data breaches. It stated that in an analysis conducted by ID Analytics of a data breach involving over 100,000 consumers, only .098% of the consumers involved had any type of “identity fraud”. This would mean that of the 26.5 million veterans and active duty personnel whose data was lost by the VA, nearly 26,000 of them could expect to become identity theft victims. It should be pointed out that in this event, it would make the VA breach the largest single source for cases of identity theft that ACCESS is aware of.

 

If the FBI is certain that the data which was contained on the computer was not breached, as the agency has publicly proclaimed, then there is no need to expose 26.5 million veterans who have already been victimized to further privacy intrusions. As previously mentioned, one of the largest privacy issues confronting consumers today is the sharing of their personal data without their consent. ACCESS is firmly opposed to any data sharing that does not include consumer consent, regardless of intent.

 

On the other hand, if the FBI is unsure about its original forensic analysis and now believes there to be a risk of identity theft to those whose names were included on the computer, then it is time for them to say so. In that event, there are a variety of options that Congress should consider. ACCESS is aware of at least one free credit monitoring service that is about to launch which would negate any need to request hundreds of millions of tax dollars for such a service. 

 

Technorati Tags : data+breach, VA, veterans+administration, privacy, identity+theft, id+analytics