Stolen V.A. Laptop Recovered – No Identity Thefts Reported

The stolen laptop computer containing records on 26.5 million veterans has been recovered, apparently without any of the data having been compromised.

The government has recovered the stolen laptop computer containing sensitive data for up to 26.5 million veterans and military personnel, Veterans Affairs Secretary Jim Nicholson announced Thursday.

Nicholson also said there have been no reports of identity theft since the May 3 burglary at the Maryland home of an agency employee. “There is reason to be optimistic,” he told reporters just before the start of another in a series of hearings Congress has had on one of the worst breaches of information security. “It’s a very positive note in this very tragic incident,” Nicholson said.

Fantastic news, indeed.

FILED UNDER: Congress, Uncategorized,
James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College. He's a former Army officer and Desert Storm veteran. Views expressed here are his own. Follow James on Twitter @DrJJoyner.

Comments

  1. ICallMasICM says:

    You know there’s quite a bit that’s odd about this story from the outset. If there was some sort of db containing 26.5 million records on it you’re probably talking multiple terabytes of data in a password protected database. Why this would be on a laptop loaded up with server sized disk space is unclear unless it wasn’t really a theft. I don’t know how the VA operates its data storage but there are a lot of things that are very odd about this story.

  2. Michael says:

    If there was some sort of db containing 26.5 million records on it you�re probably talking multiple terabytes of data in a password protected database.

    Not so, all that can be stored in as little as a couple GB depending on the amount of data per record.

  3. legion says:

    Absolutely, ICallM. No way can an ordinary laptop manipulate (or possibly even load) a database with that many records…

    Has anyone seen any news on the investigation of the guy who “lost” the info in the first place?

  4. legion says:

    Michael,
    Yes, it it’s bare-bones info in raw text, but there was supposedly enough data in each record to facilitate ID theft, so it’s gotta have at least full name, DOB, SSN, and probably a few other things as well… What the heck was the purpose of the original DB, anyway? Was it for billing? or medical history? Has that ever been discussed in the press?

  5. ICallMasICM says:

    ‘but there was supposedly enough data in each record to facilitate ID theft, so itâ??s gotta have at least full name, DOB, SSN, and probably a few other things as well’

    Right – and I maybe wrong but I was under the impression that the 26.5 m records relates to individual personnel and other beneficiary records so add in whatever the associated transaction records and reference tables there are for the rdbms. Unless the disk was swapped in from another machine for some unknown reason – and if it was theft just take the disk – I’m very skeptical about the whole situation.

  6. Bithead says:

    First…
    As to how they knew the stuff hadn’t been accessed; Everything past about nt3.51 (Assuming NTFS) contains a record of last file access and last file modified among other things.

    Secondly…

    And does the government being involved in the more celebrated laptop theft, constitute a larger security breach, than say a private concern? I don’t think so, though it certainly does make a handy lever, if you don’t happen to like the current administration.

    Think I’m kidding? Consider the following story from the Register:

    Health insurance firm Medical Excess one-upped the laptop loss crowd by forking over an entire server with personal information on close to 1m people.

    Medical Excess – an AIG company – began notifying customers this month that a break in at one of its offices has resulted in the the theft of a camera, two laptops and a file server. That server happened to contain the names, birth dates and social security numbers of 970,000 people. Even worse, some individuals have had their medical and disability information compromised by the theft.

    “The investigation following the theft of the server was quite complicated because data that was equal to one hundred million typewritten pages was stored on the server, much of which had to be manually reviewed,” Medical Excess wrote to customers, in a letter obtained by The Register.

    Wouldn’t you think that this kinda of theft that The Register is writing about here would get equal billing in the media, to the screaming over the VA a few months ago? That the volume of screaming is far from equal for the data thefts of private information not involving the federal government, should give a clue.