The government agency charged with fighting identity theft said Thursday it had lost two government laptops containing sensitive personal data, the latest in a series of breaches encompassing millions of people.
The Federal Trade Commission said it would provide free credit monitoring for 110 people targeted for investigation whose names, addresses, Social Security numbers — and in some instances, financial account numbers — were taken from an FTC attorney's locked car.
The car theft occurred about 10 days ago and managers were immediately notified. Many of the people whose data were compromised were being investigated for possible fraud and identity theft, said Joel Winston, associate director of the FTC's Division of Privacy and Identity Theft Protection.
"Basically these were attorneys who were going to file a lawsuit, and they had relevant evidence on their laptops," Winston said, noting that the FTC employees did not violate security procedures by storing the password-protected laptops in their cars.
"We will be reassessing what procedures we have to make sure reasonable measures are taken to protect data," he said.
Widening data breach
The disclosure comes amid a widening data breach that is expected to cost the government hundreds of millions of dollars. In all, five government agencies have reported data theft, including the Veterans Affairs Department, which on May 22 acknowledged losing data on up to 26.5 million veterans.
At the Agriculture Department, a hacker who broke into the computer system, obtaining names, Social Security numbers and photos of 26,000 Washington-area employees and contractors. Victims will be offered free credit monitoring for a year after the break-in in early June.
At Health and Human Services, personal information for nearly 17,000 Medicare beneficiaries may have been compromised in April when an insurance company employee called up the data through a hotel computer and then failed to delete the file.
Social Security numbers and other data for nearly 1,500 people working for the National Nuclear Security Administration may have been compromised when a hacker gained entry to its computer system last fall. Officials said June 12 they had learned only recently of the breach.
Credit monitoring may not be enough
On Thursday, a House panel was cautioned that credit monitoring alone may not be enough to protect Americans whose names, birth dates and Social Security numbers were compromised at the hands of the government.
"The worst-case scenario is that the veterans file finds its way to a public distribution source, such as the Internet," said Mike Cook, a co-founder of a company specializing in data breaches.
"If this happens, the stolen identities will lose their connection to the VA data breach and groups of fraudsters might actively trade that data among the fraud community," he said. "More people might have access and could misuse those identities on a grander scale."
The Senate Appropriations Committee approved $160 million in emergency funds for credit monitoring for veterans on a 15-13 vote; some Republicans objected because the VA has said it can use existing funds to pay for credit checks.
"I don't think it's acceptable to tell our veterans we lost your personal information, and by the way, we're going to cut your health care to pay for it," said Sen. Patty Murray, D-Wash., who sponsored the amendment to an agriculture spending bill.
On Wednesday, the VA announced it would provide free monitoring for a year, taking responsibility after the data was stolen from a VA employee's home in suburban Maryland. The VA said it would also hire a contractor to do data analysis to help pinpoint identity theft; the agency, however, did not offer specifics, saying it wanted to see what bids they receive.
Noting "it's not going to be cheap," VA Secretary Jim Nicholson pledged not to take the money from current VA programs. So far, the department has already spent $14 million to set up a call center and notify veterans by letter, and it's spending an additional $200,000 a day to maintain the call center.
Theft evidence can take months
During the House hearing Thursday, Cook said identity theft victims typically don't become aware they've been hurt until six months after their data was stolen, when creditors come calling for money owed. At that point, it's likely the thieves will have moved on — having made just a few purchases so they don't attract notice — and started using another victim's information.
As a result, a credit monitoring service would raise a red flag after it was too late, Cook said. He said data analysis technology was available to help identity theft as it occurs, particularly in the typical cases in which thieves use stolen identities to fraudulently obtain credit cards and then make purchases.
Rep. Steve Buyer, chairman of the House Veterans Affairs Committee, said he believed the VA and Congress should consider additional safeguard measures — even if it means costing taxpayers more.
"The concern is, are we creating a false expectancy — that if the VA does credit monitoring, I am safe?" said Buyer, R-Ind. "I still have great fears."
There have been no reports of identity theft so far from the VA data breach, one of the nation's largest. But Nicholson acknowledged this week that authorities — who believe the burglars were not specifically targeting the sensitive data — are nowhere close to apprehending those responsible.