(CBS/AP) Veterans Affairs Secretary Jim Nicholson told Congress Thursday that it's his responsibility to improve security at the VA after the theft of personal information for 26.5 million military personnel and veterans.

But in doing so, Nicholson also said that security reform won't happen overnight.

"I am totally outraged as to this loss of this data and the fact that an employee will put veterans at risk," Nicholson told the House Committee on Government Reform. "But it is my responsibility now to fix this. It is doable. It won't be easy and it won't be overnight because we will have to change the culture."

He pledged several new initiatives to protect private information, saying he ordered that no personal laptop would be allowed to access the VA network after the May 3 theft at a VA data analyst's home.

CBS Evening News producer Carter Yang says that there are 35,000 VA employees who can access the secure encrypted network from their computers at home, but that only gives them access to whatever they have on their work computers.

The VA does not know exactly how many people at the department have access to the sensitive data that the analyst in question did. They are conducting an audit which will determine that, among other things, Yang explains.

"We remain hopeful this was a common random theft and that no use will be made of this data," Nicholson said. "However, certainly we cannot count on that."

That drew a stern response from Rep. Henry Waxman, D-Calif.

"Secretary Nicholson, you blame this on an employee who was fired, on a culture, on people doing what they're not supposed to be doing," Waxman said. "That doesn't sound like we're getting to the heart of this with passing the buck."

Officials say that so far no solider or veteran has been defrauded due to the stolen information, CBS News correspondent Bob Orr reports, but the FBI freely admits it has no idea where the computer files are and no idea whether they've fallen into the wrong hands.

Cyber-security experts estimate the street value of the stolen data, if it were to be sold to identity thieves, could run into the hundreds of millions of dollars. But critics say the small $50,000 reward offered for the recovery of the stolen laptop has produced no good leads for police.

The reward money is being offered by the Montgomery County Police Department, but it would be paid for by the VA Inspector General and the FBI.

Congress is trying to determine whether the VA took proper steps to guard against the unauthorized disclosure of personal information. In a March report card, the VA was one of eight departments given failing grades by the government reform committee for computer security practices.

Rep. Tom Davis, chairman of the committee, also said he wants to know why the VA is still trying to figure out what information was lost after the records were stolen from the data analyst's Aspen Hill, Md., home on May 3. "The bond of trust owed to whose who served has been broken," he said.

Earlier this week, Nicholson acknowledged that the stolen data — which was stored on the employee's personal laptop — included personal information on about 2.2 million active-duty military, Guard and Reserve personnel. The agency originally said over the weekend that the number was 50,000.

Under questioning, Nicholson also said:

Local police believe the burglars were not specifically targeting the sensitive data. Recent crimes in the area involved young thieves who stole computer equipment from homes, cleaned out the data and then sold them on college campuses and high schools.

The VA will look after the best interest of veterans and military personnel should there be identity theft. But Nicholson would not say whether that would include financial compensation. "We have coordinated closely with the three major credit agencies to make available to every citizen a free credit check and credit alert."

The VA has determined that the breached information for 300 of the 26.5 million people included disability ratings. The annotations included notes such as whether a veteran had asthma or a herniated disk.

Veterans groups have criticized the VA for a three-week delay in publicizing the burglary. The VA initially disclosed the burglary May 22, saying it involved the names, birth dates and Social Security numbers — and in some cases, disability codes — of veterans discharged since 1975.

Since then, it has also acknowledged that phone numbers and addresses of many of those veterans also may have been included.

Rep. Chris Shays, R-Conn., said he was concerned that lax security practices might be widespread in several agencies, adding that there was no excuse for the VA breach.

"It is beyond stupid to take out sensitive documents," he said.

©MMVI CBS Broadcasting Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.

E-Mail Story

Print Story

Sphere

Share

Text Size:  A  A  A

Back To Top