And last week, we learned that over two million active duty people also had personal data on that lost machine.
The thing I'm surprised at not hearing is the question: What if this were enemy action?
Okay, I don't know all the details of the case. It could well have been a random theft. And if it were a random theft, odds are that the machine's drives were wiped before the thieves resold it the next day. End of major problem.
But what if it were a targeted theft? In that case, the VA employee would have been in on it, and that would explain how all that data was on a PC that was taken home.
So if it were a targeted theft, set up ahead of time, who would be the recipients? Our Government already has the data, so I don't suspect them. Corporations would just ask the Government, and wouldn't do things this way.
How about "the terrorists"? Anybody who considered themselves a military enemy of the US would find SSN and birthdate data for active duty military personnel pretty darned useful, no? Totally screwing up the troops' credit ratings would be a novel way to demoralize a fighting force. And you could do that by writing a bot to apply all over the web for credit cards and loans, and letting it do its thing.
Or perhaps Bin Laden's next tape will include personal messages? "Jimmy Jonesowski of Beaumont, Texas, we've been talking with your parents, and they want you to come home."
Yes, it's far-fetched and probably not Bin Laden's style. But it's a genuine concern, and it's something I'd expect to hear more chatter about in the blogosphere and on news sites.