WIRED Staff
Security

More on VA Data Theft

Bob Sullivan — the go-to-guy in ye olde MSM for identity theft coverage — sheds a little more light on what happened with the computer and hard disk stolen from a Veterans Administration data analyst. Both the laptop and hard drive ended up for sale at a black market just north of Washington D.C., near […]

Bob Sullivan -- the go-to-guy in ye olde MSM for identity theft coverage -- sheds a little more light on what happened with the computer and hard disk stolen from a Veterans Administration data analyst.

Both the laptop and hard drive ended up for sale at a black market just north of Washington D.C., near a subway station outside the Beltway near Wheaton. We're talking about the kind of market that is literally run out of the back of a truck, one official said. Fortunately, a buyer purchased both components at this black market, keeping the missing hardware together.

The male buyer, who has not been publicly identified, later spotted fliers posted at a nearby supermarket seeking the return of the equipment. After matching the serial numbers on the flier with those on the equipment, the buyer decided to turn in the equipment. No doubt, a posted $50,000 reward helped encourage that decision.

He had a friend in the U.S. Park Police who brokered the exchange with the FBI, Williams was told.

The FBI has done some forensic work on the laptop and says it can't find any evidence that the data was accessed.† InfoWorld's Robert Grimes chimes in to say, Rumsfeld style, that the absence of evidence is not the evidence of absence, since any fool could have simply cloned the disk and then accessed the database on the cloned disk.

Now, there's also some back in forth in the VA about whether the data analyst was authorized to take the data home.† The analyst, who has been fired, says he has a letter authorizing him to take the data home, while the VA says the letter is for a different computer.

But, no one seems to be asking the pertinent question, which is why was the analyst working with live social security numbers?

If you are just using them as identification numbers, it would not have been very hard to use a hashing and salting algorithm to create unique IDs based on each number and that process is reversible if you really need to get back to the real numbers (say the analyst was adding a risk analysis score to each person and wanted to add that later back to the database at the VA).

The other possibility is that the analyst was trying to do some work with what little information coded in them -- in which case the last four digits could have been excised since they don't mean anything but are fairly key to identity theft.

Either way, the whole operation was risky from the start.