Inspector: VA Warned Of Lax Security

Inspector General Told Congress Department Failed To Heed Years Of Warnings

(CBS/AP)  The theft of personal data for 26.5 million veterans came to the attention of the Veterans Affairs inspector general only through office gossip, he told Congress Thursday.

In four hours of testimony, IG George Opfer said the department failed to heed years of warnings about lax security and noted that the employee who lost the data when his house was burglarized had been improperly taking the material home for three years.

“We were on borrowed time,” Opfer told Senate and House panels investigating the breach.

Earlier, VA Secretary Jim Nicholson said he was “mad as hell” that he wasn't told about the burglary until May 16 — nearly two weeks after it happened. He then told the FBI on May 17, leading to a public announcement May 22.

Nicholson acknowledged that officials including Deputy Secretary of Veterans Affairs Gordon Mansfield knew about the incident earlier, but would not say whether Mansfield should be punished, citing a need for a full investigation.

“As a veteran, I am outraged. Frankly I'm mad as hell,” Nicholson said, pledging strong action against those responsible. “I can't explain the lapses of judgment on the behalf of my people. We will stay focused on these problems until we get them fixed.”

But three weeks after the names, birthdates and Social Security numbers of more than 26 million veterans were stolen from a VA employee's Maryland home, Nicholson's apology fell flat, reports CBS correspondent Bob Orr.

“I don't feel any of the personal pain or outrage of your action,” said Sen. Susan Collins, R-Maine, who chairs the Homeland Security Committee. “This was a monumental breach. It was inconceivable that it involved such long delays.”

At the House hearing, Rep. Bob Filner, D-Calif., called Nicholson's response unacceptable.

“In the last five years, a host of agencies have reported that the VA has had many problems with information security,” he said. “How did the VA react? With indifference.”

“You're not taking responsibility for this mismanagement debacle,” he said. “The most dramatic thing to take responsibility is to resign.”

White House press secretary Tony Snow said Thursday that wasn't going to happen.

“He'll have his opportunity to testify on Capitol Hill today,” Snow said of Nicholson. “I'm sure they will have sharp questions for him. But he's not tendering his resignation.”

During the hearing, Opfer pointed to the following missteps:

The data analyst routinely took home disks containing Social Security numbers, birth dates and disability information, without telling supervisors.

After the May 3 burglary, the data analyst informed supervisors. But the IG's office was never told, delaying an investigation until May 10, when one of its employees informally heard about a burglary — and that VA electronic records may have been stolen — while attending a routine meeting.

Mansfield, the VA's deputy secretary, was informed of the burglary on May 10. He then asked VA chief of staff Tom Bowman to look into the scope of the potential breach but did not tell the IG, according to a government official who insisted on anonymity because he was not authorized to speak on the matter.

In every year since 2001, the IG had pointed to the VA's information security as a “material weakness” that created a substantial risk, with little result from VA officials already grappling with budget shortfall and other accounting woes.

During the hearing Thursday, Rep. Steve Buyer, R-Ind., chairman of the House veterans panel, pressed Nicholson to give the nation's veterans assurances that their information will not be used for identity theft, or that they would be “made whole” if the information is misused.

Nicholson said he could not, saying that the VA would have to get more funding to compensate veterans. Nicholson has previously downplayed the potential danger, explaining that the May 3 theft appeared to be a random burglary.

“Before I can give you that assurance, I have to work with Congress ... if they suffer a loss,” Nicholson said, who added that it would take about $25 million alone to improve security procedures at his agency. “It will give piece of mind to veterans if they suffer a loss to have a system to compensate.”

But for now, it's veterans who are worried about paying a price, reports Orr.

"It's a helluva blow and an insult to us,” said Dave Tate, a Vietnam vet. “I sure hope they catch the people who have taken this information."

The VA employee is on administrative leave while local and federal law enforcement continue their investigation.

Meanwhile, the Montgomery County, Md., police department said Thursday it was offering a $50,000 reward for information leading to the return of the stolen data in Aspen Hill, which was stored on a laptop computer and external hard drive.

But the data is worth a whole lot more than that — each individual’s information is worth between $5 and $15 on the open market, reports CBS News correspondent Trish Regan.

Although none of the veterans have reported identity theft — yet — Regan has discovered that since May 1, the volume of Social Security numbers for sale on the Web has jumped 158 percent over average. It's the largest increase ever seen by Cardcops, a company that watches criminal Web sites.

A letter (.pdf) is being sent to those veterans affected. The government also set up a call center at 1-800-FED-INFO and a Web site for veterans who believe their information has been misused.