Two Maryland teens were arrested early on August 5th in connection with the theft of a laptop belonging to the Veterans Administration (VA), which contained unprotected personal data on 26.5 million veterans.
Christian Brian Montano and Jesus Alex Pineda, both 19 and of Rockville, Maryland, were arrested and charged with theft and conspiracy to commit burglary, police said. Charges were also pending against an unidentified juvenile male suspect.
Authorities said the theft was a "random burglary" and that the suspects did not know what the laptop contained until the theft had been made public.
The laptop itself had been returned to the VA by an unidentified informant, after the agency offered a $50,000 reward for its return or tips leading to the thieves.
No information was provided to the public regarding how the laptop was obtained by the informant, or if the informant had any relationship to the suspects.
The recovery of the laptop led the Bush administration to withdraw its offer of a year of free credit monitoring for the veterans, a move heavily criticized as insulting to the veterans, particularly in light of the offer being standard practice for most cases of data breaches or widespread identity fraud.
Although FBI analysts who examined the returned laptop said there was a "high degree of confidence" that it had not been tampered with, representatives of the veterans said that the assertion was unsubstantiated and they should have more protection for their personal information.
VA Officials In The Hot Seat
The analyst who had taken the laptop home with him and was burglarized had not previously been identified, due to the ongoing investigation. The Washington Post identified him as Wayne Johnson, a government worker who had been with the VA for more than thirty years.
Johnson had been taking data home to work on for as long as three years without authorization, according to a scathing report by VA Inspector General George Opfer on the agency's data security practices.
Although Johnson immediately notified the agency of the theft, VA Secretary Jim Nicholson did not hear about it for several days, and did not inform the public until several days after he himself found out, according to the Post.
Nicholson reported that Johnson was being dismissed from his position, a move Johnson is fighting, and the embarrassment caused by the breach has led to multiple resignations and departures from the agency.
Government Negligence
The VA data breach has shone a harsh light on how government agencies secure their data and the methods they use to ensure internal and external information security. Investigation of the laptop theft revealed that the VA had suffered two earlier data breaches over the previous year that had been kept quiet.
During testimony before the Veterans Affairs' Committee in June on the nature of the thefts and the VA's data security practices, the VA found evidence that contracting agencies who were providing medical transcription services had outsourced the work to subcontractors in India and Pakistan without providing adequate oversight or controls for veterans' personal privacy.
The Government Accountability Office (GAO), which had provided numerous reports detailing government contractors' lack of privacy practices for protecting information, noted that the VA did not have the authority to enact stronger security measures at the time.
The GAO has extensively documented the vulnerabilities many agencies have in protecting information that is outsourced to contractors, particularly Social Security numbers. SSN-based identity theft can be the hardest form of fraud to track and has potentially devastating consequences for any victim.
The VA has issued numerous plans for upgrading its security infrastructure and stronger oversight for determining which employees need to take personal information away from the office. As one VA employee (who asked not to be identified) told ConsumerAffairs.com, "Things were getting really bad for a while there [after the theft was announced], but it's getting better."
