Feds hit by rash of data breaches

Credit monitoring may not be enough
On Thursday, a House panel was cautioned that credit monitoring alone may not be enough to protect Americans whose names, birth dates and Social Security numbers were compromised at the hands of the government.

"The worst-case scenario is that the veterans file finds its way to a public distribution source, such as the Internet," said Mike Cook, a co-founder of a company specializing in data breaches.

"If this happens, the stolen identities will lose their connection to the VA data breach and groups of fraudsters might actively trade that data among the fraud community," he said. "More people might have access and could misuse those identities on a grander scale."

The Senate Appropriations Committee approved $160 million in emergency funds for credit monitoring for veterans on a 15-13 vote; some Republicans objected because the VA has said it can use existing funds to pay for credit checks.

"I don't think it's acceptable to tell our veterans we lost your personal information, and by the way, we're going to cut your health care to pay for it," said Sen. Patty Murray, D-Wash., who sponsored the amendment to an agriculture spending bill.

On Wednesday, the VA announced it would provide free monitoring for a year, taking responsibility after the data was stolen from a VA employee's home in suburban Maryland. The VA said it would also hire a contractor to do data analysis to help pinpoint identity theft; the agency, however, did not offer specifics, saying it wanted to see what bids they receive.

Noting "it's not going to be cheap," VA Secretary Jim Nicholson pledged not to take the money from current VA programs. So far, the department has already spent $14 million to set up a call center and notify veterans by letter, and it's spending an additional $200,000 a day to maintain the call center.

Theft evidence can take months
During the House hearing Thursday, Cook said identity theft victims typically don't become aware they've been hurt until six months after their data was stolen, when creditors come calling for money owed. At that point, it's likely the thieves will have moved on — having made just a few purchases so they don't attract notice — and started using another victim's information.

As a result, a credit monitoring service would raise a red flag after it was too late, Cook said. He said data analysis technology was available to help identity theft as it occurs, particularly in the typical cases in which thieves use stolen identities to fraudulently obtain credit cards and then make purchases.

Rep. Steve Buyer, chairman of the House Veterans Affairs Committee, said he believed the VA and Congress should consider additional safeguard measures — even if it means costing taxpayers more.

"The concern is, are we creating a false expectancy — that if the VA does credit monitoring, I am safe?" said Buyer, R-Ind. "I still have great fears."

There have been no reports of identity theft so far from the VA data breach, one of the nation's largest. But Nicholson acknowledged this week that authorities — who believe the burglars were not specifically targeting the sensitive data — are nowhere close to apprehending those responsible.

MORE FROM SECURITY

Security Section Front

The biggest security threats in 2010 Citigroup denies computer-system breach Twitter temporarily hacked, now up White House picks new cyber czar Pentagon: Insurgents intercepted spy videos Privacy watchdog files complaint against Facebook Ohio court: Cell phone searches require warrant Nearly 1 in 3 older teens gets ‘sexting’ messages Australia to block obscene, crime-linked sites After criticism, Facebook tweaks settings again Security Section Front   Add Security headlines to your news reader: