Authorities have recovered a laptop and hard drive containing personal information on 26.5 million U.S. military veterans and their spouses, and determined that the data was not accessed, the U.S. Department of Veterans Affairs announced Thursday.
The U.S. Federal Bureau of Investigation told the VA Thursday morning that the personal data on the hardware was not accessed by thieves, VA Secretary R. James Nicholson told the House of Representatives Veterans Affairs Committee. The FBI conducted forensic testing on the two devices, he said.
The laptop and hard drive were stolen from a VA analyst's home in early May.
"This is a reason to be optimistic," Nicholson said earlier. "It's a very positive note in this entire tragic event."
The stolen hardware contained unencrypted data with names, Social Security numbers, dates of birth, and some limited health information on military veterans.
As Nicholson announced the recovery, Representative Bob Filner interrupted him. "Mr. Secretary, does this leave you off the hook?" he said.
Who's to Blame?
The VA continues to have major data security problems, Filner (D-California) said during the hearing. While Nicholson has called the analyst who took the data home "grossly negligent," VA officials who failed to notify Nicholson of the breach for nearly two weeks haven't been held responsible, Filner said.
The committee has learned that the analyst had permission to take the hardware and data home, contradicting earlier statements from Nicholson, Filner added.
The recovery "doesn't change the fact that your intentions seem to be to blame all of this on one guy," Filner said. "He informed the cops in 52 minutes. Your guys didn't inform you for several days. Who was grossly negligent?"
VA Still Under Scrutiny
Committee Chairman Steve Buyer (R-Indiana) reiterated concerns that the VA has been repeatedly warned of lax security practices going back to 1997. The VA's decentralized structure, with three divisions largely controlling their own IT systems, makes it "practically impossible" to secure the VA's systems, Buyer said.
Security experts have told the committee fast action and timely communication to victims are needed to recover from data breaches, Buyer said. "The word 'quick' does not seem to characterize anything about the VA's response to this threat over the years," he added.
Nicholson told the committee the data theft was a wake-up call for the agency. "This has brought to the light of day some real deficiencies in our department," he said.
Since the data theft, the agency has drafted a policy requiring encryption of sensitive data, and the agency is looking at contracts with data breach analysis firms that can track whether data has been compromised, Nicholson said. The agency is also looking into its policy on security clearances, and it began a reorganization of its IT structure late last year, he said.
"I have taken many proactive steps," he said.