VA's Plan To Advertise Value Of Data Leak Worked

from the in-hindsight dept

Mon, Aug 7th 2006 9:05am — Carlo Longino

Back in May, following the theft of one of its employee's laptops containing personal data on 50,000 veterans, the VA tried a new version of security-via-obscurity. It first said that chances where the thieves had no idea about the data, and probably just stole the laptop for its resale value. They then followed this up by doing their best to make them aware how valuable it was, putting up a $50,000 reward and pumping it up in the press. The FBI said at the end of June the machine had been recovered, and now, the thieves have been apprehended, and told police they didn't know they'd gotten anything more than a random laptop until -- yes, you guessed it -- the theft got publicized. Admittedly, companies or governmental groups in this situation are in a bit of a bind. They need to own up to people whose information they've lost that they are at risk, but should exercise a bit of restraint in putting the story out so they don't alert otherwise ignorant thieves to the real value of the computers they've stolen. Though undoubtedly any attempt at restraint is likely to be interpreted as a cover-up or ignoring the problem. The real solution, of course, is to prevent the data leaks. While the question of whether or not the data in the VA case is at risk seems to be answered, the bigger question remains: why did an employee have the personal information on 26.5 million veterans on a laptop, let alone at their home?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ralph, 7 Aug 2006 @ 9:24am

Does it BELONG to the VA or are you saying VA is?
Apostrophe abuse!
[ link to this | view in chronology ]
- Lay Person, 7 Aug 2006 @ 9:34am
  
  Re: Does it BELONG to the VA or are you saying VA
  Uhhhh....
  
  It belongs to the VA...
  [ link to this | view in chronology ]
- mikhail, 7 Aug 2006 @ 1:18pm
  
  Re: Does it BELONG to the VA or are you saying VA
  Ralph's comment clearly illustrates a key factor;
  Ralph's an idiot.
  
  To end on a kind note, hopefully Ralph's preparing for his epic journey into middle school as the freedom of summer draws to a close (or even lower on the totem pole, from one who still has at least a faint bit of belief in the educational system).
  [ link to this | view in chronology ]
eb, 7 Aug 2006 @ 9:37am

Why?
Maybe because he's an idiot? From what I read, he was apparently working on some sort of "vanity" project, trying to validate the results of a survey.
[ link to this | view in chronology ]
EasyJim, 7 Aug 2006 @ 10:04am

Ralph with the itchy trigger finger
Sir, with all due respect, it is correctly: the plan that belongs to the VA. In other words, the VA's plan.

Just as written originally.

No apostrophes were harmed in the making of this post.
[ link to this | view in chronology ]
Anonymous Coward, 7 Aug 2006 @ 10:11am

While the employee might have been an idiot the real blame rests with the VA who never should have allowed such data to be contained anywhere but a secure server.
[ link to this | view in chronology ]
Nathan Kully, 7 Aug 2006 @ 10:22am

3.5 months later...why now?
I can't say this enough, if that data was encrypted we wouldn't have to listen to any more BS about this issue. I am sick and tired of hearing different information on this stupid laptop, yes the VA was dumb and let this information get out, but this has to be at least the 3rd or 4th different story on how they got it back.

First it was claimed that someone turned in the laptop that he bought from the back of a truck when he saw the $50,000 reward. Now they are saying that there was a tip that allowed the government to somehow get the data back...oh and they've yet to specify exactly how they got it back on June 28th. Get your story straight because I am having trouble believing a darn thing that the government announces these days.
http://www.techknowbizzle.com/2006/07/times-getting-even-tougher-for-vets.html
[ link to this | view in chronology ]
- my2cents, 7 Aug 2006 @ 1:41pm
  
  Re: 3.5 months later...why now?
  I totally agree. But encryption or no encryption, there's no reason that information should have even been on a laptop.. let alone, allowed to leave the building. I understand people want to telecommute or whatever, but when you work in certain positions handling sensitive, confidential, or even secret information, there's no way that should even be an option. The exception being someone like the head an agency with some kind of security detail, or security procedure. Other than that, everyone else needs to bring their ass to work.
  [ link to this | view in chronology ]
G.I. Joe, 7 Aug 2006 @ 10:31am

VA = Vaginal Atrophy
VA still means the State of Virginia to most people. Is it soooo hard to type Veterans Administration? You're not in the military (obviously they're incompetent too), so write a friggin' article AND SPELL S**T OUT YOU MORONS! I'm tired of acronyms with multiple meanings. There is too many. Don't contribute to the madness and stupidity. Keep it up and I'll cut the phone line to your mobile home when you're busy screwing your father's best goat.
[ link to this | view in chronology ]
- Theoden, 7 Aug 2006 @ 11:02am
  
  Re: VA = Vaginal Atrophy
  Actually, Virginia is a Commonwealth, not a state.
  
  "There is too many" is not correct either, so before you jump on someone else's 'mistakes' you should correct your own, Joe.
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Aug 2006 @ 11:40am
    
    Virginia not a state?????
    Virginia is too a state. You can't count to 50 stars on our flag without it. However, a few of the southern states (including Virginia) do use the term "commonwealth" as a title of the state. But it's still a state. The only actual commonwealths around the USA (by dictionary definition) are places like Puerto Rico and the Northern Mariana Islands, which are stand-alone territories voluntarily related to the USA, not states under direct USA control.
    
    Info source: http://encarta.msn.com/dictionary_1861599003/Commonwealth.html
    
    I think maybe you should take your own advice and a do a little research so you can come up with an intelligent response instead of just mouthing off like you know everything and then end up being wrong.
    [ link to this | view in chronology ]
- Hop Sing, 7 Aug 2006 @ 2:43pm
  
  Re: VA = Vaginal Atrophy
  That has to be the stupidest comment I have read! The most constructive comment you made was the period at the end of the sentence. Next time you think you have something important to say just go ahead and bang your head against a wall. Better still cover your nose and mouth, cross your legs and fart. Maybe that will clear your mind. In the meantime here are a couple of other acronyms you might like. Sorry I didn't spell it out, thought maybe you can sound them out for yourself.
  F.U. A.H., M.F.P.
  [ link to this | view in chronology ]
Lay Person, 7 Aug 2006 @ 10:43am

#7 VA = ?WHAT?
G.I. Joe:

This is TechDirt. Stories and matters about technology.
Technology as well as the military use nothing but acronyms.

I'm quite certain that once a person recognizes the context, the use of the acronym becomes clear. It may be unclear to those unintiated to the story.

I never questioned the acronym yet I imagine sthat there are people who question it. Perhaps if the contributor at least writes the entire reference once in parentheses to eliminate any doubts.
[ link to this | view in chronology ]
- Anonymous Coward, 7 Aug 2006 @ 11:45am
  
  Re: #7 VA = ?WHAT?
  The VA (which may be headquartered in VA) could have avoided the widespread AV coverage of this if the VA had performed a proper VA on the data storage methods in general and this laptop in particular.
  
  Lexis Nexis shows no reference to Nessus with this story.
  [ link to this | view in chronology ]
NewJerseyKid, 7 Aug 2006 @ 11:19am

I don't know why I cared enough to post this, but Virginia is a state. Get over yourself.

http://en.wikipedia.org/wiki/Commonwealth_%28United_States%29
[ link to this | view in chronology ]
- Anonymous Coward, 7 Aug 2006 @ 12:08pm
  
  Re:
  Umm... that Article says VA is a Commonwealth...
  [ link to this | view in chronology ]
  - Theoden, 7 Aug 2006 @ 12:25pm
    
    Re: Re:
    Go easy on him...he's from New Jersey.
    [ link to this | view in chronology ]
Justin, 7 Aug 2006 @ 11:34am

Wait, this isn't a story about a Vein Assknocker? Shoot.
[ link to this | view in chronology ]
Anonymous Coward, 7 Aug 2006 @ 12:25pm

Virginia is a state, period.
"Commonwealth" is just a fancy title. As you can see, it dates way back. Just try counting the stars on our flag without Virginia and see if you make it to 50. Virginia is a state that just happens to refer to itself as a commonwealth at times. By dictionary definition, every state in the USA can be considered a commonwealth, but they are still states. For that matter, the USA as a whole could be called a commonwealth.

I think a more accurate usage of the term would be for places like Puerto Rico, which are associated with the USA but are not states. For info on this, see below:

http://en.wikipedia.org/wiki/Commonwealth_%28U.S._insular_area%29
[ link to this | view in chronology ]
the awkward observer, 7 Aug 2006 @ 1:09pm

again???
Oh look, more missing VA data. http://www.gcn.com/online/vol1_no1/41582-1.html
[ link to this | view in chronology ]
NewJerseyKid, 7 Aug 2006 @ 1:28pm

Actually, it's a state with "commonwealth" in its formal name. To quote Fight Club, "Putting feathers up your butt does not make you a chicken." The People's Republic of China is hardly a republic, and whatever Virginia might like to call itself, to qtfa:

"Four of the constituent states of the United States officially designate themselves Commonwealths"

They are states, which formally designate themselves as commonwealths ... but states, nonetheless.
[ link to this | view in chronology ]
my2cents, 7 Aug 2006 @ 1:33pm

the VA by any other name is just the same.
Why are people so quick to judge other people’s writing. The whole purpose of writing, talking, or even gesturing is to communicate a certain point. And during that communication, it is assumed that every participant, or in this case-- every reader on this site, is on some basic level of general knowledge, and shares a common interest. Granted, the author should have spelled out Veterans Administration the first time he used it in the article, followed by "(VA)", as we all learned in school. But as someone mentioned, this is a tech site. And we're all here as techies, not literary bards. The point of the article surrounds key words such as-- stolen. data. government. veterans. laptop. security. recovered. NOT “VA”, “the VA”, or “the VA is”. Let's try to get over ourselves. One other thing while I’m on this soapbox: People work, people are preoccupied, people are tired, or whatever the case may be. So we're all prone to misinterpreting things regardless of how smart we think we are. A coworker with a Masters degree who works the night the shift with me was reading an article aloud to the rest of us on night. She was feeling so smart and confident, probably congratulating herself on how fast she was reading and how intelligent she sounded when she came across the word "indicted" (in-DIE-ted). She mispronounced it-- "inDICKted" and we all busted out laughing….including her when she realized the brain slip.
[ link to this | view in chronology ]
Lay Person, 7 Aug 2006 @ 1:45pm

Easy...
Easy on Ralphie you guys.

What if he's like the Ralphie on the Simpsons, he's probably sincere yet misinformed.
[ link to this | view in chronology ]
Acronyminalist, 7 Aug 2006 @ 1:56pm

VA
Even though I live in VA and have basically nothing to do with the V.A., it seemed easy enough to figure out which this meant.

On the actual topic: It is extremely difficult to control the copying of business data by employees. Although anything can be hacked, encryption makes it more difficult to use data on a stolen device or removable media. I suppose this well publicized incident will influence many organizations with sensitive data to evaluate the effort of doing this vs. the risk of not doing it.
[ link to this | view in chronology ]
Aaron, 7 Aug 2006 @ 2:28pm

Commonwealth vs. State
So...is a tomato a fruit or a vegetable? And once it's turned into pizza sauce, does it really f'ing matter?

On to the article! I think on balance, putting out the word is a good thing. Data leaks, even if all the best security policies are in place, will most certainly happen. It's better to be (or even just appear) serious about the matter than just hoping nothing bad happens.

Just like individuals making software security leaks public alerts hackers of an exploit, it also puts pressure on the company to fix the problem. Embarassing mistakes are only bad news if you don't fix the problem.

The VA can come out of this more secure, where if they had not said anything, they probably wouldn't change the culture that brought it on in the first place.
[ link to this | view in chronology ]