June 14, 2006
Mr. David M. Walker
Comptroller General of the United States
Government Accountability Office
441 G Street, NW
Washington, DC 20548
Dear Mr. Walker:
Last week, several major newspapers reported that the personal information of 80% of our active military personnel was included in the May 3rd heist of a personal computer belonging to a Department of Veterans Affairs employee. According to the VA, the information contained the names, Social Security Numbers, and birthdates of 2.2 million military personnel. A spokesman from the department said 1.1 million active duty personnel, 430,000 National Guard members, and 645,000 Reservists were among the 26.5 million identities stolen from the laptop computer.
These recent revelations directly contradict the Department of Veterans Affairs initial response to the massive data breach that occurred in early May. The New York Times reported that the May 22nd announcement included the larceny "of up to 26.5 million veterans, and their spouses." Yet, at no time were any active military personnel, or members of Congress, aware that the personal security of the bulk of our military apparatus was jeopardized.
Given this new revelation and the continued failure of the Department of Veterans Affairs to provide accurate, timely and complete information to the American people or the Congress, we are writing to request the Government Accountability Office further investigate this matter.
This security breach not only threatens the identity and financial security of millions of veterans and active military personnel, but also the safety and security of our troops and their families. Security experts have suggested that the data theft may have profound consequences on the safety of our troops. "'There is a global black market in this sort of information and you suddenly have a treasure trove of information on the U.S. military that is available,' said James Lewis, director of technology and public policy at CSIS."
Unfortunately, this new disclosure by the VA is just the latest example in a long record of incompetence and deception within the Department of Veterans Affairs and the Bush administration.
The Department of Veterans Affairs has shown a pattern of careless, and possibly even deceitful, communication, both within the department itself and to the Congress and the public at large with respect to this data loss. Secretary Nicholson was not informed about the data theft until 13 days after the burglary. When Senator Susan Collins asked him how it was possible he was not informed immediately, he replied that it was unclear. Additionally, officials in the department did not report the May 3rd data theft until over two weeks later on May 22nd, leaving millions of veterans unknowingly at high risk of identity theft. Also, when the department learned that the personal information of active military personnel was compromised, Secretary Nicholson badly underestimated the number of troops put in harms way. His estimation of 50,000 Navy and National Guard members affected accounted for just a tiny fraction of the total number of American troops exposed.
The information security breach is even more egregious considering VA, after continual security audits, was well aware of the vulnerability of its data security. According to VA Inspector General George Opfer, "In all four audits of the VA Security Program issued since 2001, we reported serious vulnerabilities that remain uncorrected. These reports highlight specific vulnerabilities that can be exploited, but the recurring themes in these reports are the need for centralization, remediation, and accountability in VA information security. Since the FY 2001 report, we reported weakness in physical security, electronic security, wireless security, personnel security, and FISMA reporting."
For all these reasons, we ask that the Government Accountability Office make an in-depth inquiry into the causes of this serious breach, the adequacy of the VA's response, and the impact to the veterans and military community at large. More specifically, we desire that the GAO:
Provide a full and complete assessment of the security breach, affected personnel and the impact of this incident.
Review and evaluate the impact of the delay by VA officials to analyze the contents of the stolen data and further assess its content.
Review the adequacy of VA's response to recommendations by GAO and the VA Inspector General to make VA compliant with the Federal Information Security Management Act. Please describe in detail VA's implementation efforts or responses in this regard.
Identify any needed legislative solutions that would address requirements for notifying citizens in a timely manner of breaches or losses of personal information from Federal databases.
Review VA's response, and the adequacy of that response, to strengthen personal information security management.
Review the adequacy of existing laws, such as the Privacy Act, to protect personal information contained with Federal electronic databases and provide recommendations on how these laws might strengthen in light of current vulnerabilities and the state of technology.
Review and evaluate the impact of the data theft on the veterans' community, active, guard and reserve members and what efforts are being undertaken by VA to ensure that the stolen personal information is not misused, whether those steps are adequate, what additional measures might be necessary to protect those whose information was lost, and finally, how to deal with any harm caused to those individuals from this breach.
We look forward to working with you regarding this most important matter.
Senate Democratic Leader Harry Reid
Senator Daniel Akaka
Senator Byron Dorgan
Senator Jay Rockefeller
Senator Barack Obama
Senator Ken Salazar
Senator Chuck Schumer
Senator Hillary Clinton
Senator James Jeffords
Senator Patty Murray
Senator Joe Lieberman