A day after one of the biggest reported data loss cases in history, many questions remain for the 26 million veterans who fear their identities have been compromised.
Yesterday, the Veterans Administration announced that more than 26 million veterans – every living veteran, I was told – had their Social Security numbers stolen recently by a house burglar. A database with their personal data was on a computer stolen from a Veterans Affairs employee, the agency announced yesterday. But the announcement raised as many questions as it answered. Chief among them: How could someone carry around a database that large? Easily, it turns out.
You might think a database that big would be too big even for most laptop computers. Actually, it wouldn't. In fact, it's possible the lost data fit on one of those little thumb drives.
The question of the size of such a database was bothering me, so I ran a little test. And my test shows such a file, if accurately described by the VA as containing only names, dates of birth, and Social Security numbers, could easily be compressed to a little larger than 1 gigabyte. That means it could be carried around on a flash drive.
You might remember, military missteps with thumb drives made news just a few weeks ago when a Los Angeles Times reporter purchased drives at bazaars near a U.S. military base in Baghram, Afghanistan, containing incredibly sensitive data, including the names of Al-Qaeda informants and their contact information. So there is precedent for the little gadgets causing big trouble.
I created a database with 1 million records containing names, dates of birth and Social Security numbers in Microsoft Access. (They weren't real.) Then I exported it as a plain text file, which is how you would transport such data. That file is only 43 megabytes. Multiply that by 26 and you get about 1.1 gigabytes. SanDisk sells a thumb drive which holds 2 Gigs.
Of course, if there were even a few more fields in that file (disability numbers were mentioned, but let's say address, rank, etc.), the size of the file would increase quickly. With eight to 10 more fields the VA tale becomes a bit less plausible. But as presented to the media, it's entirely possible this data was very portable.
But the story, as told so far by federal authorities, still leaves other questions unanswered.
Who exactly was in that database? The announcement indicated "some spouses" of veterans, but offered no additional details. Vets who call the toll free number offered by the government apparently can't get specifics. When I asked the VA, the response I got was confusing. "Every living veteran and any veteran ever applying for benefits," wrote VA spokeswoman Louise Filkins. But other accounts say only veterans since the Vietnam War were in the database.
What was the analyst doing with all that data? What project could possibly require bringing home 26.5 million Social Security numbers? No answers on that.
And finally, and perhaps most important, what should vets do now? The federal government has so far offered only vague suggestions. So I've compiled my own checklist, which will be available here. Basically, vets should add fraud alerts to their credit report accounts, consider adding a credit freeze, examine their credit reports often (see the link for tips on that) and find healthy outlets to vent their frustration.