The Veterans Affairs Data Breach of 2006

IDWise Logo

Are veterans and military personnel at an increased risk of experiencing identity theft? And if so, why?

Active and retired military personnel are more likely than the general population to suffer identity theft or abuse. According to a 2013 FTC report, identity theft complaints among U.S. military members and veterans are made at twice the number reported by the general public.

Veterans and active personnel are at an increased risk because:

  • Social Security numbers are mostly commonly used to identify military members, and are often placed on dog tags and health-care cards
  • Servicemen and women receive government benefits and insurance that non-military personnel do not
  • Phone and emails scams can be tailored to tug on the heartstrings of the military community
  • They are often unable to monitor their accounts and personally identifying information (PII) while on active service duty

Perhaps most alarming is the fact that in 2006, a data breach at Veterans Affairs potentially exposed the PII of more than 26.5 million veterans and service personnel.

How did the breach occur?

On May 3, 2006, a data analyst at Veterans Affairs had his computer equipment stolen from his home in Montgomery County, Maryland. The analyst's hard drive contained unencrypted information on 26.5 million people.

The analyst reported the crime to the Maryland police and his supervisors at Veterans Affairs. The supervisors did not report the theft to the Veterans Affairs' secretary, R. James Nicholson, until May 16.

On May 17, 2006 the FBI was informed of the breach and began working with local police to investigate the crime.

What information was stolen?

The unencrypted data included:

  • Names
  • Social Security numbers
  • Dates of birth
  • Disability ratings

The majority of data was tied to veterans and their spouses. Still, 1.1 million active-duty personnel were affected, including 430,000 members of the National Guard and 645,000 members of the Reserves.

Was the data ever recovered?

The stolen laptop and hard drive were eventually recovered by police. The FBI performed a forensic examination on the computer equipment and reported that no data had been compromised. However, experts claim there are ways to thwart detection.

How has the government responded?

In 2009, the Veterans Affairs Department reached an agreement in a class-action lawsuit filed by five veterans alleging invasion of privacy. The VA agreed to pay $20 million to veterans for exposing them to possible identity theft.

The VA has also made strides to limit the exposure of military members' PII, including:

  • Extensive, mandatory security awareness training for all VA employees
  • Reducing the use of Social Security numbers as primary identifiers
  • Strict records management procedures
  • The creation of the Identity Safety Service, which assists veterans affected by identity theft

For more details, please visit: http://www.va.gov/identitytheft/VAprotects.asp

How do I protect myself?

Check your credit report three times a year and report any errors. Be wary of phone and email solicitations or offers that appear to be "too good to be true." Follow the Center for Identity's checklist of tasks to complete before and after deploying.

Learn about military targeted scams, and how to protect your personal identifying information, by exploring more Center for Identity articles.

IDWise Logo
What is IDWise?

Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy. IDWise offers clear and accessible resources to empower citizens—both online and offline—to be better informed and make smarter choices to protect their personal information.

IDWise Logo

Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy.

Learn More