VA Data Recovered Along With More Leaks

In a good news bad news moment Veterans Affairs Secretary Jim Nicholson made the announcement Thursday June 29^th that it has recovered the stolen laptop computer that contained sensitive information on over 26 million veterans and military personnel. The FBI said a preliminary review found no evidence that anyone accessed Social Security numbers and other data on the equipment.

The announcement came before the latest in a series of hearings Congress has been having on one of the worst breaches of information security. Nicholson told Congress that a new tracking system has revealed another breach: more data is missing from a VA center in Indianapolis. This time the data involves 16,500 veterans, plus files for patients in a long-term care facility in Minneapolis. This prompted one congressman to ask if there are even more data losses that haven't been revealed. He got this surprise answer from Deputy Secretary Gordon Mansfield

"Sure, we have a whole list,"

The committee hearing examined the VA data breach, the largest in government history, in the context of information security concerns across the federal bureaucracy. The VA theft put at risk the unencrypted personal information of 26.5 million veterans and active-duty military members. But smaller security lapses take place routinely, said Clay Johnson III, deputy director for management at the Office of Management and Budget.

"I'm told that there are dozens of security breaches involving laptops in a year," Johnson said. "None of these involve 26 million, 27 million names. So this is the 100-year storm of security breaches. The magnitude of it is the alarming thing."

He said the key is to minimize the number and impact of data breaches by requiring agencies to tighten enforcement of existing security policies. "It is currently the standard that all sensitive data on laptops be encrypted," Johnson said. "That is the standard. It's just not enforced."

Despite assurances yesterday of stringent security policies from officials with the Internal Revenue Service and the Social Security Administration, both agencies have suffered smaller-scale breaches in recent months.

Early last month, an IRS employee lost an agency laptop on an airplane; it contained unencrypted names, birth dates and Social Security numbers for 291 workers and job applicants, agency officials said this week.

An SSA employee's personal laptop computer containing Social Security numbers and other sensitive information for 200 people was recently stolen at a conference the employee was attending, William E. Gray, a deputy commissioner at the agency, said in written testimony yesterday.

Lawmakers were incredulous. "It is beyond stupid to take out sensitive documents," said Rep. Christopher Shays (R-Conn.). "But I have the sense that this is a common practice."

 See CBS News

and Washington Post