Stolen personal data for 26.5 million veterans and military personnel may have been erased by teenagers who sold the computer equipment, Veterans Affairs Secretary Jim Nicholson said Thursday.
In testimony to Congress, Nicholson accepted responsibility for the May 3 burglary at a VA data analyst's home. He said the agency remains vulnerable to other security lapses and that changes won't happen overnight.
"This has been a painful lesson for us at VA, and I am committed to assuring that we have the people, adequately trained, policies and procedures in place to assure that this could not happen again," Nicholson told the House Government Reform Committee.
He explained that the burglary occurred in an Aspen Hill, Md., neighborhood in which there had been a pattern of thefts by young burglars who took computer equipment, wiped them clean of the data and then sold them on college campus or high schools.
"We remain hopeful this was a common random theft and that no use will be made of this data," Nicholson said. "However, certainly we cannot count on that."
Lawmakers were skeptical. They noted that the committee and the Government Accountability Office, Congress' investigative arm, had warned the VA for years that security was lax.
"Secretary Nicholson, you blame this on an employee who was fired, on a culture, on people doing what they're not supposed to be doing," said Rep. Henry Waxman of California, the panel's top Democrat. "That doesn't sound like we're getting to the heart of this with passing the buck."
Added Rep. Christopher Shays, R-Conn.: "It is beyond stupid to take out sensitive documents."
Congress is trying to determine whether the VA took proper steps to guard against the unauthorized disclosure of personal information. The VA has said the data analyst — who has been fired — violated procedures by taking home for three years the names, Social Security numbers and birth dates without permission.
Earlier this week, Nicholson acknowledged that the stolen data — which was stored on the employee's personal laptop — included personal information on about 2.2 million active-duty military, Guard and Reserve personnel. The agency originally said the number was 50,000.
During the hearings, Nicholson pledged new initiatives to protect private information, saying he ordered that no personal laptop would be allowed to access the VA network. About 35,000 VA employees have that clearance, although not all have access to veterans' personal information.
Rep. Steven LaTourette, R-Ohio, pressed Nicholson on whether the VA had received any reports that the stolen data had been used for identity theft.
LaTourette said one Gulf War veteran, Steven Michel of Ashtabula, Ohio, had reported he might be a victim after discovering he had not received his monthly VA disability check.
Nicholson said local and federal law enforcement have not notified the VA of any identity thefts stemming from the data breach, one of the nation's largest.
Under questioning, Nicholson also said:
—The VA will look after the best interest of veterans and military personnel should there be identity theft. But he would not say whether that would include financial compensation. "We have coordinated closely with the three major credit agencies to make available to every citizen a free credit check and credit alert."
—The VA has determined that the breached information for 300 of the 26.5 million people included disability ratings. The annotations included notes such as whether a veteran had asthma or a herniated.
Veterans groups have criticized the VA for a three-week delay in publicizing the burglary. The VA initially disclosed the burglary May 22, saying it involved the names, birth dates and Social Security numbers — and in some cases, disability codes — of veterans discharged since 1975.
Since then, it has also acknowledged that phone numbers and addresses of many of those veterans also may have been included.
Several veterans said Thursday they lived in fear that their identities might be stolen and won't be at peace until the burglars are caught.
"I'm stuck wondering, worried and waiting now," said Michel, 33, who says the VA told him the missed disability payment was unrelated to the data theft. "I'm hoping and praying it's an isolated incident. But how can anybody tell me for sure that I'm not affected?"