A day after the government announced the loss of sensitive personal information on more than 26 million U.S. veterans, questions remain about how truly deep the problem is.
That's because officials admit that data from some veterans' family members was lost, too. Veterans are asked to provide the Social Security numbers of their spouses and children.
Security experts say the potential for identity theft depends on what the thief was after. Security consultant Chris McGoey says if it was a simple home robbery, it's unlikely the stolen information will be used. However, he says under a worst-case scenario, the thief might have known exactly what to look for.
Veterans Affairs Secretary Jim Nicholson said there was no evidence so far that the burglars who struck the employee's home have used the personal data — or even know they have it.
But that sentiment fits along with the theme of downplaying the theft, which law enforcement offices seem to have been following from the start.
The burglary was reported on May 3, Orr reports. A long-time Veterans Affairs analyst told Montgomery County, Md., police someone pried open a window, broke into his home during daylight hours and stole a computer, an external drive, and a bag containing computer files.
Police records show another burglary was reported the same day just a few blocks away. But nothing was taken there.
About a week after the burglary, sources say, the VA contacted the local police and seemed to "downplay it then." Sources tell CBS News that the VA said the loss of data involved only "the names of hundreds of veterans" along with personal identifiers.
That changed dramatically Friday, May 19, when the FBI contacted local police and said "it was a much bigger deal" in terms of the personal information lost, Orr reports.
The Justice Department said it was not told about the theft of data on 26.5 million veterans until late last week — roughly two weeks after it was taken from a VA employee's home — raising questions of whether the agency acted quickly enough to notify veterans.
"Our investigation is ongoing," said Cathy Gromek, a spokeswoman for VA inspector general Jon Wooditch.
The VA disclosed this week that the personal information — mainly from veterans discharged since 1975 — was stolen from a mid-level employee's home in what appeared to be a routine burglary.
The material included the veterans' Social Security numbers, birthdates and in some cases a disability rating — a score of between 1 to 100 on how disabled a veteran is. The agency declined to say whether additional information regarding the nature of the disability was disclosed.
A letter (.pdf) is being sent to those veterans affected.
On Monday, the VA said it is notifying members of Congress and the individual veterans about the burglary. It also set up a call center at 1-800-FED-INFO and a Web site, http://www.firstgov.gov for veterans who believe their information has been misused.
The employee from whose home the data disk was stolen is mid-level career data analyst who carried home a work project that involved computer files containing the data. The employee has been placed on leave pending a review.
"He wasn't authorized to do that. In fact, that behavior was a violation of our policies," Deputy Secretary Gordon Mansfield told CBS Radio News.
Since 2001, the IG has reported security vulnerabilities related to the operating system, passwords, a lack of strong detection alerts and a need for better access controls, he wrote.
But privacy experts said Tuesday the potential for fraud is significant.
An estimated 3.6 million U.S. households, or three of every 100, reported being victims of identity theft in the last half of 2004, a U.S. Justice Department study found. The VA security breach is second only to a hacking incident last June at CardSystems Solutions in which the accounts of 40 million credit card holders were compromised.
"One thing we need to start doing is punishing people who violate the rules," said Barry Steinhardt, director of the technology and liberty program at the American Civil Liberties Union.
He noted that name, date of birth and Social Security number enable identity thieves to obtain credit reports, bank and credit card accounts and place of residence. In other cases, such information could let terrorists use false identities to board planes or allow illegal immigrants to get a job.
According to the Justice Department, burglars struck the home of the unidentified VA employee in early May and took a government-owned laptop with disks.
After the incident, the employee promptly informed the VA, which did not tell FBI until late last week, according to two law enforcement officials who spoke on condition of anonymity because they are not authorized to talk publicly about the investigation.
Matthew Burns, a VA spokesman, did not return repeated phone calls regarding the timing of the disclosure. In a news briefing Monday, Nicholson said the agency was seeking to act promptly to inform veterans by notifying members of Congress and setting up a call center and Web site.
Meanwhile, the White House sought to reassure the nation's veterans as Democrats pressed for a full investigation and accountability for the incident.
"This is a scandal," said Senate Democratic leader Harry Reid, D-Nev., in a briefing with reporters. "The information was kept from the American public. I would hope that the administration is figuring out a way to find out what happened and then find out some way to make sure that all these veterans are made whole."