WASHINGTON – Under intense bipartisan fire from Capitol Hill, Veterans Affairs Secretary Jim Nicholson said Wednesday he was outraged by his agency's decision to keep the theft of veterans' personal data quiet for two weeks.
"I will not tolerate inaction and poor judgment when it comes to protecting our veterans," said Nicholson, declaring that he initially left it to VA investigators rather than calling the FBI.
"I am outraged at the loss of this veterans' data and the fact an employee would put it at risk by taking it home in violation of our policies," he said in a statement to The Associated Press. "Upon notification, my first priority was to take all actions necessary to protect veterans from harm."
He said he had asked the department's inspector general to expedite an investigation to determine who was responsible for the time delay in revealing the burglary.
Nicholson's remarks come amid growing outrage from lawmakers over the May 3 theft, which involved the birthdates and Social Security numbers of 26.5 million veterans. The VA employee had taken the information home without authorization.
On Wednesday, Sen. Patrick Leahy said President Bush should call Nicholson "into the woodshed" because of the theft of personal data involving some 26.5 million veterans. Citing past budget problems at the VA, Leahy said Nicholson should consider resigning.
"It all adds up to a heckuva bad job for America's veterans," said Leahy, D-Vt. "The President should call Secretary Nicholson into the woodshed for a serious shake-up in how the VA is run."
Burglars on May 3 took the government-owned laptop and disks from the VA employee's suburban Maryland home. The equipment contained information mainly on veterans discharged since 1975.
But the FBI was not notified until late last week, two law enforcement officials said Tuesday, a move that delayed a warning to veterans now at risk in one of the nation's largest security breaches.
The Senate Homeland Security Committee and the Committee on Veterans Affairs said they would hold a joint emergency hearing Thursday and call Nicholson to testify. "Twenty-six million people deserve answers," said Sen. Larry Craig, R-Idaho, chair of the VA panel.
Sen. John Kerry, D-Mass., and Rep. John Salazar, D-Colo., introduced legislation late Tuesday that would require the VA to provide free credit monitoring and reports to the affected veterans.
In a written briefing to Congress, acting VA inspector general Jon Wooditch said the agency did not appear to do enough to prevent the breach.
In every year since 2001, the office warned that access controls were a "material weakness" in the department's security of information, Wooditch wrote. The briefing paper cited vulnerabilities related to the operating system, passwords, and a lack of strong detection alerts.
Matthew Burns, an agency spokesman, did not return phone calls Tuesday. The agency has said it was seeking to act promptly to inform veterans by setting up a telephone hot line and a Web site.
According to Nicholson and law enforcement officials, the thieves stole equipment containing the data. There was no evidence the home was targeted for the data or that the thieves even knew they had it.
The employee promptly notified the VA, which began its own review but did not immediately tell the FBI. Nicholson said Monday that the selected release of information was to avoid compromising the investigation.
The breach is second only to a hacking incident last June at CardSystems Solutions in which the accounts of 40 million credit card holders were compromised.
Barry Steinhardt, director of the technology and liberty program at the American Civil Liberties Union, said the news was particularly concerning because the data lost -- Social Security numbers and birth dates -- can be used as a gateway to get "virtually anything."
The White House sought to reassure the nation's veterans.
"We have no indication that these have been used to defraud the 26.5 million people whose personal information would have been contained," White House press secretary Tony Snow said.