Slashdot Mirror
Stolen VA Laptop Recovered
lancejjj writes "Remember how the VA was pinning the theft of 26.5 million veterans' personal records on a hard working-but-renegade employee whose laptop was stolen? Surprise! It turns out that the employee had written permission to bring the sensitive data home. Fortunately, the laptop has been recovered. It is still unclear how the laptop was recovered, or if any of the veterans' personal data was leaked."
Or a copy of it for publicity sake.
- Kal`Goblez
According to the FBI as reported by Reuters. The FBI said that the DB hadn't been accessed since the date it was stolen. Keep in mind, too that laptop thefts are no different than any other and the vast bulk are crimes of opportunity. So it most likely that the laptop was just at the worng place at the wrong time and the tweaker responsible had no idea as to its value.
If brevity is the soul of wit, then how does one explain Twitter?
Seriously. Attention any/all US federal legislators reading this: just mimic the EU on this one. It's a no-brainer and will win you the all-important geek vote.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
I'd like to know how they verified that none of the data was accessed. Granted, it's highly possible that the thief probably had no idea what was on the laptop or may have been too scared to try selling that data, but I'd like to know that somebody with tech skills did the check. "Last modified" date doesn't mean the files weren't copied, and we never heard about anything else being stolen from the victem. There was a theft of Tricare (military medical provider... of sorts) server hard drives from a server room a few years ago. The geniuses said it wasn't a targeted data theft, but rather the theives had the intent to steal the hard drives themselves.
Yeah... sure.
"Common sense will be the death of us all"
One of the articles quoted the permission granting documents, saying that the analyst needed real SSNs for his work. I don't understand why that would be the case. Couldn't they have generated a fake list, verified that no two numbers were alike, and assigned a bunch of random names? It seems like the whole issue could have been eliminated from the start by doing this. Also, it's just shameful the way a bunch of middle-management types are trying to shaft the analyst when he's had written permission for ~4 years.
Meh, a real sig would take too long, and I have an MMORPG to play with....
I received one of those official letters in the mail from the VA stating the jist of what the original news article talked about. Although I wasn't surprised that I got it, it still made me feel uneasy knowing that someone out there has mine (and countless others') information. I'm relieved to see that the laptop made it back...whether or not my information is still out there is another story....
This sig contains repetition and redundancy.
Why? He had at least three written memos given express permission for him to do what he did. The problem here wasn't with the worker, it's with the policies and directors that signed the memos.
Meh, a real sig would take too long, and I have an MMORPG to play with....
Oh no, the best thing they could do is let him keep the job. He's the least likely person in the US to do this again. It would be different if he stole it himself.
You are checking your backups, aren't you?
I for one am relieved that the data was not accessed, since I am a veteran who received a letter saying that I might be subject to identity theft as a result of this incident.
They gave us all a years worth of ID theft tracking service at a cost to the gov't of $(several millions?).
If a class action law suit against the VA for this debacle is successful it will cost them a lot more than that.
I am more than a little annoyed that they gave the guy permission to take the data home, and now they are firing him for having done so.
In spite of my feelings, I hope such a lawsuit fails, since it will only hurt those who rely on the VA's funding for their health care, etc.
The people who allowed this to happen certainly aren't going to give themselves a cut in pay!
...the future crusty old bastards are already drinking the Kool-Aid.
The employee had permission to access social security numbers. The employee had permission to take a laptop home. The employee had permission to use database software at home.
The VA still contends that the employee did not have permission to put the social security numbers on the computer and take it home.
Look at the timeline. He gets permission to access SSNs in February. He gets permission to take a laptop home in September. Sometime during the year he got permission to use a database program at home. It still sounds to me like he took a little personal initiative to take the SSN database home.
Still, the whole affair was handled pretty damn poorly, particularly the delay in reporting it, among other things.
-h-
Data privacy laws aren't there to keep the gov't from snooping into your stuff, it's to keep companies from trading your private data, or even keeping it on file in many instances.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
What is needed is a far more positive identification system. Granted, it might be a piss-off to not be able to get instant credit to purchase that new thingamabob, but as things reach unmanageable proportions, something has to be done.
They need to fire all of the morons who made this possible in the first place. It's hard to say which is worse, having no data security or not even knowing if your data is secure.
Problem is that if the hidden volume is mounted and the laptop suspended... does Truecrypt unmount in this case? (In other words, does the user have to remount of resume?) If not, it's the same as not having any encryption at all.
Do you really believe them when they say the data was not accessed? Ignoring the fact that the data can be accessed with no evidence left on the drive. You're a veteran, and you still believe what the government tells you when it's good news for them?
The real fault lies with the credit reporting/monitoring companies.
They have created a system where it's easy for anyone to get credit in another person's name. Their solution, of course, is to pay them to monitor your credit in case someone tries to do it.
The data is not very valuable for most ID theives if they cannot open up instant credit. So, the "solution" is to for the VA to pay the very companies that make it easy to get instant credit for monitoring services.
What a racket.
The easiest first step is to require those agencies to allow every person to put a credit freeze on their credit records. This would stop the instant credit and at the same time would stop a vast majority of the ID theft going on.
Those very same companies have lobbyist to prevent this, of course.
1) The theif probably didn't even check. People steal laptops to sell them, not to mine their data since 99.9% have no valuable data.
2) Identity theft on a large scale is nearly worthless because it's news. People get notified accounts get watched, you get caught if you use it. It's the small stuff where the harm happens. You get one person's identity and they don't know so you can abuse it for a couple months.
Excellent thinking. I believe the same applies to airlines with accidents...according to laws of probablility alone, it is almost impossible for an airplane crash to occur more than once with the same airlines during the period of, say, a month. They become the safest airlines on earth after an accident.
It sounds like a coverup to me. They never found that laptop, and if they did, it wasn't the one that was missing
Does your specially-formed tinfoil apparel help you to know these facts? The scoop is that someone turned it into the Baltimore FBI office, and they're keeping it quiet because the $50k reward was part of the picture. Their forensics people were the first ones to look at the machine, and that's what they do all day.
More likely whatever ever idiot looted the house and took the portable fencables really didn't know what to do with it, and probably saw the government markings on the machine later. Not something you can put on eBay or take to a pawn shop. And people like that are in the habit of asking their equally ass-hattish what friends to do with something like that. Obviously one of the more enterprising ones is looking to turn it into $50k.
Don't disappoint your bird dog. Go to the range.
I don't see how the credit reporting/monitoring companies can fix this.
To me the problem is very simple. If I lose my keys, I don't put a "key watch" on my door to see if someone attempts to use the lost keys. I change the locks on the door and get new keys.
If the confidentiality of my social security number is lost then I need to get a new social security number.
Ok, I might be in the minority here, but I'm assuming that this was no conspiracy or well-organized hit to access veterans' SSN's. I'm guessing the perpetrator was some dumb teens or twenties punk who broke into the house looking for something he could sell for a couple bucks. This run-of-the-mill type would barely be able to use the laptop he stole to check email and play solitaire, let alone transfer files without leaving a trace of file access. Imagine his face, when flipping through the TV, he sees an article on the computer sitting in his trunk and thinks, "Hey, that looks like the place I jacked last night... wait a minute, that IS the place I hit! National news! FBI investigation! $50,000 reward for my ass ... crap!" Ahhh, priceless!
What forensic tools is that?
Is there any way in hell to determine when a read head moves over a piece of data? If there is (which I do not see how), how could it determine with any resolution of when that head passed over the data? One week, one month, one hour ago etc.. What ever magical thing they messure would have to decay away over time with some consistancy to determine WHEN it was last read.
On that note, boot up with Knoppix, mount hda1 read only (which is the default), mount a network share through lin neighborhood and copy \mnt\hda1 to \home\user\mounts\server\share. Shut off laptop and remove Knoppix cd. You can do that whole process in minutes and all with a gui if you'd like! We do that exact process at least once a week from tanked XP laptops that we need data from.
To get back to reality, if Joe random stole that laptop and was playing with it, he would probably not have the desire and knowledge to do the Knoppix thing or really even care about the actual data on the laptop at all. Someone specifically targetting this VA employee and that data could easily do it.
Bad boys rape our young girls but Violet gives willingly.
checks for affected veterans. bush is going to take money out of food stamps and education to pay for it.
He's not going to cut any of the huge tax cut he gave his billionaire buddies. Kids will have to pay for it.
What an asshole!
I do not believe for one minute that they found the laptop.
photosMy Photostream
They need to fire all of the morons who made this possible in the first place. It's hard to say which is worse, having no data security or not even knowing if your data is secure.
Where would you put them all? These people probably number in the millions, since they include everyone who thinks that a SSN is anything other than a personal name.