Stolen Laptop with Veterans' Information Returned
JENNIFER LUDDEN, host:
Law enforcement officials say they've recovered a laptop and hard drive stolen last month from the home of an analyst for the Department of Veteran's Affairs.
The equipment contained personal information on some 26 million veterans. There were concerns about possible identity theft. Authorities say there's no sign the data has been used for that. But as NPR's Larry Abramson reports, all those veterans may still be at risk.
LARRY ABRAMSON reporting:
VA Secretary James Nicholson has had a lot of explaining to do about why he only learned the laptop had been stolen three weeks after the theft occurred last month. He only learned it had been recovered when he arrived for his umpteenth appearance on Capitol Hill yesterday before the House Veteran's Affairs Committee.
Mr. JAMES NICHOLSON (Secretary of Veteran's Affairs): What I've been told is that there have been no arrests made, that this data was provided to law enforcement and that the reward is operative.
ABRAMSON: The FBI says a tipster turned in the laptop and may get that reward.
The FBI's initial examination of the laptop and the external hard drive indicate that no one has accessed the data. Computer forensics experts say a standard attempt to view or copy the information would leave traces that the FBI could see.
But Beryl Howell, with the Digital forensics firm Stroz Friedberg, says a clever thief would know how to mirror the information without leaving behind footprints.
Ms. BERYL HOWELL (Executive Vice President, Stroz Friedberg): There are forensic methodologies that are used that are designed specifically to copy data from electronic storage media without altering the original data at all, not altering the text, the content of the files, nor even altering the metadata associated with those files.
ABRAMSON: Police have always assumed the information was stolen more or less by accident by a burglar who happened to hit the jackpot, but it's impossible to be sure. So the recovery of the laptop may not help solve the VA's biggest problem right now - how to monitor the credit reports of millions of veterans to prevent identity theft.
Secretary Nicholson had asked Congress for $160 million to pay for a year of credit monitoring. Now, he says he's thinking about whether another approach would be cheaper and more effective.
Mr. NICHOLSON: Which is to put this data screen technology to work that is very effective in seeing whether sets of data are being used for nefarious purposes.
ABRAMSON: That approach does not require watching millions of credit records, but that may not satisfy veteran's groups, who have once again called on the VA to provide free credit monitoring to all effected vets.
That's just one indication of the headlock Secretary Nicholson is caught in as he tries to upgrade a failed security system while dealing with one of the biggest data breaches in history. If that weren't enough, Nicholson got hit with a couple of sucker punches during yesterday's House hearing.
Florida Congressman Jeff Miller.
Representative JEFF MILLER (Republican, Florida): One other question. Are you aware your cybersecurity chief is resigning as of today?
Mr. NICHOLSON: Am I aware that my cybersecurity chief is resigning today?
Rep. MILLER: Yeah. Is there any truth to that?
Mr. NICHOLSON: I did - I'm not aware of that.
Rep. MILLER: Is anybody at the table aware of that?
ABRAMSON: Nicholson's aides were aware, they just hadn't gotten around to telling their boss that cybersecurity Chief Pedro Cadenas was quitting, apparently in part because of the pressure he's been under.
Despite the reappearance of that mysterious laptop, the pressure for those staying at the VA will probably get worse as Nicholson fights on-going security problems, an unhappy Congress, and angry veterans, some of whom have joined three separate class action lawsuits over data theft.
Larry Abramson, NPR News, Washington.
(Soundbite of music)
LUDDEN: This is NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.