Veterans Chief Is Grilled Over Stolen Data

The theft of a disk containing names, birth dates and Social Security numbers for as many as 26.5 million veterans and their spouses stirred fury in Congress on Thursday, as Republicans and Democrats pounced on Veterans Affairs Secretary Jim Nicholson, demanding to know why the agency’s notorious computer security issues had not been fixed.

With millions in danger of identity theft because a VA data analyst took home a computer disk that was later stolen during a burglary, more than 100,000 aggrieved veterans sought answers from 14 call centers set up by the Department of Veterans Affairs. They also took their complaints to the airwaves and the Internet, where one Vietnam vet set up an online petition urging Nicholson to quit.

Amid calls for Nicholson’s resignation, White House Press Secretary Tony Snow said President Bush had “full faith and confidence” in the Veterans Affairs secretary.

Nicholson, a 67-year-old former Army Ranger who fought in Vietnam, said in testimony before House and Senate committees that he was “mad as hell” that the employee had taken the disk home, and that his deputy secretary, Gordon Mansfield, had not informed him of the security breach for two weeks.

“As a veteran, I am outraged,” Nicholson said. “I’m outraged that this employee would do this so recklessly, and I’m outraged that I wasn’t notified sooner.”

He added: “Other people are also in my sights as a result of this.”

But neither Congress nor veterans’ groups was appeased. The Veterans of Foreign Wars, the nation’s largest group of combat veterans, issued a sharp response to the VA’s advice to individuals to check their own credit reports.

“Telling 26.5 million veterans to deal with this as individuals is a totally unacceptable response,” the VFW’s national commander, James R. Mueller, said in an e-mailed statement. “We strongly suggest that the federal government start figuring out a way to deal with this problem computer-to-computer between the VA, national credit bureaus and other national institutions.”

During the hearings on Capitol Hill, the VA’s inspector general, George Opfer, said the agency had been unable to formally notify the affected veterans because “we don’t have 26 million envelopes.”

Opfer estimated the costs of buying, addressing and mailing the envelopes at $10 million to $11 million.

Asked the cost for preventing and covering potential losses from identity theft, Nicholson estimated “way north of $100 million” and did not rule out a total as high as $500 million.

He told the House committee that the stolen records were those of veterans who have been discharged since 1975 or who are receiving compensation for disabilities.

The missing data include the names and birth dates of about 26.5 million veterans and some of their spouses, along with 19.6 million Social Security numbers.

Officials at the White House and Veterans Affairs stressed that so far the records have not been compromised and that the FBI is trying to recover them.

In the meantime, veterans were being advised to notify banks and credit card companies, and lawmakers were talking about earmarking funds to pay for veterans to get regular credit reports.

“I’m absolutely furious,” said Stewart Resmer, a Vietnam veteran from Santa Monica who started the anti-Nicholson petition at www.petitionspot.com.

Noting that the VA had lost thousands of records in a 1973 fire at its National Personnel Records Center in St. Louis, Resmer said:

“Now they make us prove that we were shot or where we were, and we have to get two buddy statements. We’ve had our tails shot off and lived to tell it. They never sent me a letter about Agent Orange; I don’t need them to get me a free credit report check. They should be looking to replace all of our Social Security numbers.”

The breach dramatically underscores the risks inherent in information collection in a high-tech age. In Washington, where many government officials take work home or on the road, the advent of powerful, lightweight laptop computers has turned routine home burglaries into major security threats. In 2000, a State Department employee was fired and five others were disciplined over a missing laptop that contained top-secret information.

“The VA is not alone in the potential to suffer a data breach of this magnitude,” said Sen. Susan Collins (R-Maine), calling the security failure “a wake-up call to the rest of the federal government.”

Still, the VA has been famously lagging in computer security -- having earned an “F” on an annual federal computer security report card compiled by the House Government Reform Committee in four of the last five years.

Several lawmakers expressed concern that the security lapse was the tip of the iceberg.

“Just unbelievable,” said Sen. Larry E. Craig (R-Idaho), chairman of the Senate Committee on Veterans Affairs. “How is it that VA’s computer system permits one person to download the records of 26 million individuals and no one is alerted?”

Others called for Nicholson to leave.

“I don’t think the secretary is really up to this job,” said Rep. Ted Strickland (D-Ohio), a member of the House Committee on Veterans Affairs.

Added Rep. Bob Filner (D-Chula Vista), another panel member: “You say you take responsibility, but then you tell veterans to ‘go call your creditors.’ ... The most dramatic thing to take responsibility is to resign.”

The midlevel data analyst who took home the veterans’ information -- officials said he was trying to figure out how to reduce the file -- has been placed on administrative leave pending an investigation.

Opfer said the employee told investigators that he had been taking data work to his suburban Maryland home regularly since 2003.

The theft involved 5 gigabytes of material, Nicholson said, adding that the employee could easily have accessed the information over a secure connection from his home computer.

He said he has ordered immediate training for all computer employees in security and privacy but suggested Congress might want to consider enacting laws making it unlawful to take records home.

At day’s end, veterans were not reassured.

“I really don’t know what to do. I’ve only got one bank and one credit union. I guess I’ll kind of watch them,” said Don Tetschlag, a 31-year Navy veteran now retired in San Diego.

Referring to the employee who took home the disk with such sensitive information, he added, “If I’d done that, I would be in jail.”