Sunday, February 04, 2007

More VA Data At Risk? Reminds me of last summer

Looks like another black eye for the Department of Veterans Affairs. A hard drive containing thousands of unencrypted records apparently went missing. Here is what I wrote last summer for a local magazine, after the BIG data leak at the VA:

During a hotter than average summer you might think the only exposure problems we face in Saint Augustine are those caused by the UV index. And it would be nice to think the only chills we've been getting come from ice cream or the ice in our drinks. Unfortunately, some folks in town have been receiving chilling news about their personal exposure. It goes something like this: "Information identifiable with you was potentially exposed to others."

In fact, if you were one of the more than 26 million American veterans whose data was on an external hard drive stolen from the home of a Veterans Affairs employee in May, you will have read those words already, in letter from the VA. What sort of data are we talking about? According to the letters that started going out in the first week of June: names, Social Security numbers, and dates of birth, as well as some disability ratings. That is enough information to get an identity thief started, running up bills in your name.

Sadly, some local veterans who bank with VyStar were hit with a double dose of chilling news about their personal exposure. They also received letters from the Jacksonville-based credit union informing them that hackers had acquired their names, addresses, Social Security numbers, birthdates, mothers' maiden names, and email addresses. The exact number of people affected was not revealed by VyStar, which would only say it was less than ten percent of its 344,000 membership. However, that type of data would give an identity thief a running start, in several directions. For example, the email addresses could be used for very targeted and effective "phishing" attacks in which falsified email is used to trick recipients into revealing such valuable data as account numbers and passwords.

I know that at least one of the affected Vystar members was a local resident, because I had breakfast with him recently, at Jasmine's on San Marco. Over a latté and breakfast burrito he lamented that he had received letters from both VyStar and the VA. Perhaps a little too glibly I said that if he got a third letter we would write an article about him. That afternoon I noticed a new security breach exposing Floridians. Approximately 133,000 Florida driver and pilot records were on a Department of Transportation laptop stolen from a government vehicle in July.

So how should you react if this happens to you? Are you at risk if your data is exposed? What can you do to protect yourself? To answer these questions, begin by examining any information you have about the exposure. For example, here's what Vystar said about that incident: "Vystar has no indication that the stolen data has been used or will be used for identity theft or fraud."

Fortunately, you don't need to be a computer security expert to see through that one. Your first clue that this is not a very reassuring statement is how the data was exposed. According to Vystar's own report, hackers stole it. These days, that is not good. In the good old days of mainframes and early personal computers the term "hacker" did not necessarily mean someone who broke the law, more like someone who broke into the technology just to see how it worked. Hacker today can mean someone who steals bank records, either for their own nefarious purposes, or for resale to someone even more nefarious. There is a thriving black market in identity data. Organized crime is a big player in that market.

Even if your data was on a computer stolen at random, which may be the case with the stolen VA laptop and hard drive, you need to be wary of assurances that "there is no indication the data has been used for identity theft." Any computer security professional would want to add the word "yet" to that statement. After all, how can you tell if the data has been used? The beauty of all things digital is that they can be copied over and over without any indication that they have been copied. A data thief seldom erases the data, just lifts a copy so you are none the wiser.

Another assurance that bears closer inspection is this one, as seen in the VA letter: "Authorities believe it is unlikely the perpetrators targeted the items because of any knowledge of the data contents." Well, contrary to the VA's claims in the letter, the VA employee had been taking home the same sort of data for years, with permission. This implies that someone could indeed have targeted the data; but even if they didn't, your average thief today probably knows a thing or two about computers. Imagine getting that computer home and finding all that data. Knowing that it could be worth dollars per record might tempt a common burglar to branch out into data trafficking.

At this point you might be wondering what happened to all the marvelous computer security technology you see in movies: passwords, fingerprints, encryption. These are not science fiction. They exist and they are relatively effective, cheap, and easy to use. The reality is that they are not used nearly as much as they should be. One way you can tell is to read between the lines of an "exposure" announcement. The VA made no mention of passwords; the Department of Transportation did. You can bet the DOT data was password protected, the VA data was not.

So what can you do when your data is exposed by one of these incidents? The first step is to take advantage of any resources provided by the "breachee," the entity whose security was breached, thus leading to the exposure. For example, VyStar has provided a lot of information about Internet security on its web site. In addition, it has said it will provide identity theft protection to all those affected by the breach. This is a smart move because it helps to limit the company's exposure to damage claims. Several years ago I provided testimony in a class action suit brought by another group of military personnel whose data was exposed as a result of the TriWest security breach in Arizona. The victims were seeking to force TriWest to pay for identity theft protection. As far as I know the case is still unresolved, but the security lapse has already cost TriWest several million dollars.

The primary defensive action you can take, regardless of what the breachee does, is place a temporary fraud alert on your credit bureau account. This should alert you to anyone trying to open new accounts in your name. To place an alert contact one of the three main agencies: Equifax ( or 800-525-6285); Experian ( or 888-397-3742); TransUnion ( or 800-680-7289). The alert is free, good for 90 days, and may get you a free credit report. In fact, getting a credit report on yourself is a good all-round defensive measure, even if your data has not, to your knowledge, been exposed. If it has been more than 12 months since you saw your credit report, check it out, via the contacts above, to make sure it contains no surprises.

None of this implies that the party whose inadequate security made the exposure possible is off the hook. The VA is currently under pressure to improve security and do more for the victims. You can learn more at Sadly, if you visit the site created to keep vets informed about the May incident, you are greeted by news of an August incident. That's right, another computer went missing, this time exposing the insurance records of tens of thousands of vets.

Is there any good news? Well, I can say that the VA/VyStar victim I know has not received a third letter, yet. I'd like to say I see light at the end of the tunnel but, based on my 25 years of work against computer fraud and abuse, I don't. So be prepared to act in defense of your identity, keep abreast of new incidents, and cast a critical eye over any letters you receive. I'm afraid more of us will be over-exposed before things get better.

No comments: