The government has recovered the stolen laptop computer and hard drive with sensitive data on up to 26.5 million veterans and military personnel. The FBI said Thursday there is no evidence that anyone accessed Social Security numbers and other data on the equipment.
Veterans Affairs Secretary Jim Nicholson, in announcing the recovery of the computer, said there have been no reports of identity theft stemming from the May 3 burglary at a VA employee's Maryland home.
The FBI, in a statement from its Baltimore field office, said a preliminary review of the equipment by its computer forensic teams "has determined that the data base remains intact and has not been accessed since it was stolen." More tests were planned, however.
Nicholson said the laptop and hard drive were turned in Wednesday to the FBI by an unidentified person in response to the $50,000 reward offer. No suspects were in custody.
"This has brought to the light of day some real deficiencies in the manner we handled personal data," Nicholson told a House hearing investigating one the nation's worst largest information security breaches. "If there's a redeeming part of this, I think we can turn this around."
Michelle Crnkovich, a spokeswoman for the Baltimore FBI field office, said tipster who turned in the laptop in Baltimore has not been charged and likely was not the thief. She said the FBI still believes the laptop was taken in a routine burglary and that the VA data was not the target.
Nicholson urged veterans to keep watch over their financial records until more tests are completed in the coming days. The VA's offer of free credit monitoring for a year is still in effect until subsequent tests are completed, and plans are still on to hire a data analysis company to be on the watch for potential identity theft, he said.
"That's relatively inexpensive," he said of the data analysis work. If it's decided after further analysis that the FBI "has a high enough sense of confidence" in its findings, the credit monitoring may not be needed, he said.
Veterans groups cheered the news that the laptop was recovered but said they still needed the free one-year credit monitoring just to be safe.
"The worst-case scenario may have been averted this time, but an even greater tragedy would be if this type incident was allowed to happen again because of complacency in the work place," said Joe Davis, a spokesman for the Veterans of Foreign Wars. "Those who are entrusted with our nation's secrets and the personal information of its citizens must be held accountable when they fail to do their jobs."
Newly discovered documents show that the VA analyst blamed for losing the laptop had received permission to work from home with data that included millions of Social Security numbers and other personal information on veterans and military personnel.
Rep. Steve Buyer, R-Ind., chairman of the House Veterans Affairs Committee, which was investigating the breach, said he was pleased that veterans may now be able to "breathe a sigh of relief."
"However, this will not diminish our oversight," he said. "We will hold the VA responsible and accountable."
According to documents obtained by The Associated Press, the data analyst faulted for losing the personal data had the department's approval to access millions of Social Security numbers on a laptop from home. One document shows the analyst, whose name was being withheld, had approval as early as Sept. 5, 2002, to use special software at home that was designed to manipulate large amounts of data.
A separate agreement, dated Feb. 5, 2002, from the office of the assistant secretary for policy and planning, allowed the worker to access Social Security numbers for millions of veterans. A third document, also issued in 2002, gave the analyst permission to take a laptop computer and accessories for work outside of the VA building.
The department said last month it was in the process of firing the data analyst, who is now challenging the dismissal.
Under questioning, Nicholson said he was not personally aware of the agreements. Tim McClain, the VA's general counsel, told the committee that the Social Security authorization is standard for an employee doing data analysis work, and that the laptop authorization was for a computer different from the one that was stolen.
"I can't comment on a pending action because it is still pending," McClain said.