Our friend Jon Stanley has sent me this letter concerning the risks for veterans in the recent theft of personal data from the Department of Veterans' Affairs. He would like to make it clear that he is not in search of clients and offers this as a service to us all.
On behalf of us all, I thank him.
Pat Lang
--------------------------------------------------------------------------------------------------------
"To Whom It May Concern:
You all know the saying, "on the internet they don't know you are a dog", or words to that effect. So feel free to take what I am about to share with a grain of salt.
I'm a lawyer and a frequent poster on this blog. Jonst is my handle. My field of expertise is in information security/technology law. One area of law, and/or law breaking you might say, that I am focusing on, is identity theft/misuse. Presently,I’m part of team working on an 18 month long project dealing with ID theft/misuse. The project is funded by the National Institute of Justice which some of you might know is the research and development branch of the US Department of Justice. I have spoken on the topic of ID theft at the annual American Bar Association meeting in 2005 and numerous RSA Security conferences. Last month I was one of three presenters on a national teleconf hosted by the ABA
As many of you know already, a large data base of Veteran's information is missing from the home of a Veterans Admin employee. Ostensibly, the info was taken during a 'routine' burglary. The data taken ".....contained the names, Social Security numbers and birth dates of every living veteran from 1975 to the present, Veterans Affairs Secretary Jim Nicholson said Monday". I believe it is the greatest theft of SSN in our history. [update: it may be that some pre 1975 Vets were effected. The jury is still out on that}
Veterans, and other relevant parties, are being assured that if all is not exactly well, it is close to well: "Nicholson and Attorney General Alberto Gonzales said there was no indication that the information has been misused" and that this was just a 'routine burglary'. To me their reaction is like hearing the officer say, "move along folks, there's nothing to see here.'
I'm going to share some of my thoughts on ID theft with you. Take it for what it is worth. Here goes:
1. First, there is a bustling black/gray market for social security numbers.
http://select.nytimes.com/gst/abstract.html?res=F00E13FF385C0C748CDDAF0894DD404482 and http://www.symantec.com/avcenter/cybercrime/index_page5.html for example. Let's do a conservative guess on the value of a valid SSN. Say ten dollars a number. Now, 10 x, again, let's be conservative, let's say, there were only 20 million numbers on the medium in question, the hard drive or the external hard drive or both. So, 10 x 20 million. You get the potential prize here that has been stolen? You think this increases or decreases the odds that the wrong info is going to get (or has already gotten) into the wrong hands? So what does it mean when we are assured that there is no indication that the info has been misused? Again, I'll leave that to the reader. Me? I'm concerned. Not panicked. Indeed, not even overly concerned. But I am concerned. Damn concerned.
2. Again, with regard to the no misuse issue. On average it takes over one year for misuse of a person ID's to show up. See, among many other sources, statement by J Howard Beales, then, Director of the FTC's Bureau of Consumer Protection made before the Senate. Commission on the Judiciary, 20 March, 2002
3. Here are some sites you can go to that will offer some suggestions as to what course of action you might consider taking if you find out, or suspect, your data has been compromised.
http://www.consumer.gov/idtheft/
http://www.privacyrights.org/about_us.htm
http://www.idtheftcenter.org/index.htm
There are others as well.
4. Be on the look out for solicitations where they party soliciting seems to know a bit about you . As in ‘ let me say up front we want to thank you for you x tours in x country. And for your service in the x corps or field artillery.’ You know, stuff like that and then they go on to say ‘ the vet admin is cutting back and this supplemental policy could solve all your woes. Or this ‘credit card will be the lowest interest in the western world’. Seriously, these scams can be really slick.
Again, and in conclusion, panic and undue worry are uncalled for. This is a risk management issue. The threat level has gone up somewhat. More than the media is letting on. At least in the first reports. And less than those who might counsel 'their coming over the walls folks". But I would, at a minimum, start paying a lot of attention, prolonged attention, to my financial statements and records.
I hope that this has been helpful. That was my intention. I will be glad to answer, where I have answers, any follow up questions you might have.
Jon Stanley
Attorney at Law
Thanks very much.
Posted by: Jerry Thompson | 24 May 2006 at 09:40 AM
Ditto the thanks.
Posted by: john pfefiler | 24 May 2006 at 09:42 AM
you guys are welcomed. I really enjoy the people on this blog and I figure more than a few of them are vets.
Posted by: jonst | 24 May 2006 at 10:30 AM
Valuable info, johnst, good for you. Great point about "phishing" I've seen "spoofs" of many agencies and institutions - with the "correct" logo (easy cut & paste job)including the FBI. Forewarned is forearmed.
Posted by: taters | 24 May 2006 at 10:33 AM
Thanks, Jonst. Very good advice.
Posted by: BillD | 24 May 2006 at 12:00 PM
Thanks Jonst.
Posted by: Eric | 24 May 2006 at 12:42 PM
This happened in '02 or '03 as well, a theft from a Tricare building.
Thanks for the info, Johnst.
Posted by: semi-crazy | 24 May 2006 at 02:40 PM
Yes, semi...and there were, and remain, problems for vets from it. But that was a blip (as serious as it was)compared to this. This is a HUGE deal among the infosec crowd I hang with. 26 mil ssn and a ton of information to go with it. The mother lode. I will not be one bit surprised if turns out that the 'burglar' knew exactly what he was looking for. Assuming that is, there was a burglar in the first place.
Posted by: jonst | 24 May 2006 at 04:27 PM
Yep...Strange how these type of "Lap Tops"and Data Just Disappear from time to time..
Reminds me of Robert Hansson and Rick Ames..
So Much Intrigue..
In this "Safer World"..
Strangest Ball game I ever saw..
Posted by: Patrick Henry | 24 May 2006 at 04:33 PM
How expensive would it be to re-issue each lost SSN a new one to the vets (and anyone else who lost it due to government carelessness)? This would make the stolen IDs worthless.
Posted by: bud | 24 May 2006 at 08:20 PM