Here's our identity theft fact sheet and here's more info from the FTC. From the VA:

This data contained identifying information including names, social security numbers, and dates of birth for up to 26.5 million veterans and some spouses, as well as some disability ratings.

SSNs and names and birthdates -- the keys to your financial identity -- all together? That's a recipe for instant identity theft, even though VA manages to try to divert blame by claiming (phew!) "Importantly, the affected data did not include any of VA's electronic health records nor any financial information." So what? (And isn't a disability rating derived from a health record?) And then VA goes on to pass the buck by claiming that the employee "violated policy." So what? The breach is still VA's fault for having a weak, unenforceable data protection policy that fails to recognize its responsibilities. A potential thief or thieves now has the keys to establish false identities in the names of 26 million veterans. (The birthdates are a bonus -- just makes it easier-- SSNs would would have been enough.) Here are some questions we have:

1. Why weren't the data encrypted (no story claims the data were encrypted), after so many reported breaches of unencrypted data in the last 15 months?
   
2. How can a "policy" be the only protection against an employee downloading 26 million unencrypted records and taking them home in a lunchbox or whatever? Where are the data or audit trails or sign-out logs or double-entry approvals?
   
3. On a related matter, why does the military still place Social Security Numbers on the health insurance cards and other IDs given to some 2.5 million or more active duty personnel and all of their dependents?
   
4. Will industry lobbyists try to make lemonade for themselves and lemons for us by using this fiasco to try and convince Congress to pass weak, industry-approved data security and breach notice laws that preempt the better state laws that forced this public disclosure? See my blog on HR 3997, the worst data bill ever, for example. Will Congress go along with the industry requests and pass those weak industry-approved laws that don't protect us but prevent the states from doing so?
   
5. Even though sloppy creditor and credit bureau practices make it easy for unskilled ID thieves to use these "keys," will the credit bureaus and credit card companies brazeningly use this fiasco to market under-performing and over-priced credit monitoring services? Credit monitoring doesn't protect consumers from identity theft. Security freezes do.
   
6. What should veterans do?
   

We recommend to Veterans: don't panic, don't stress out and don't purchase over-priced credit monitoring services. Instead, do three, or maybe four, things:

1. Look at your credit reports for free. Look for errors or potential fraud accounts that are not yours. Federal law gives any consumer the right to look at each of their 3 reports for free each year by calling 877-322-8228 or logging on annualcreditreport.com (don't be fooled by the upsell offers for "free" credit monitoring. It isn't free. Stick with the free federal "file disclosure" as the bureaus like to call it. Federal law also gives consumers who suspect fraud an additional right to look at each of their 3 reports, by contacting the credit bureaus (Equifax, Trans Union and Experian) directly. Finally, 7 states (Colorado, Georgia (2x/year), Maine, Maryland, Massachusetts, New Jersey, and Vermont give any consumer an additional annual free credit report right from each of the bureaus. Contact the credit bureaus directly to exercise your state rights. Use these free reports as a type of credit monitoring. Anyone can get one report, then another 4 months later, then the third 4 months after that. Others in the 7 states or who suspect fraud can increase this frequency.
   
2. Be alert: if you receive phone calls about verifying your new credit card application or about debts you know you don't owe-- presume you've been victimized. Here's our identity theft fact sheet and here's more info from the FTC.
   
3. Contact Congress. Urge support for strong identity theft protections that preserve state authority to enact even stronger laws.
   
4. Finally if you live in a state where you can protect your credit reports with a free or low-cost security freeze, consider freezing your credit report (you'll need to unfreeze your report whenever you want to apply for credit). Laws that have already taken effect give any consumer in California, Connecticut, Louisiana, Maine, Nevada, New Jersey, and North Carolina this right. Soon, security freeze laws protecting all consumers in Colorado, Kentucky, New York, Utah and Wisconsin will also take effect.

   If industry has its way, Congress will pass a federal data security law that eliminates all these laws, and replaces them with a weak law that either gives no one the right to freeze their credit, or only grants the right to victims. That's like saying you can't wear a seatbelt unless you've already been injured in a car crash.

   Not good? No, not good. But that's what a majority of the House Financial Services Committee voted for when the committee approved HR 3997, the worst data privacy bill ever. If the bill becomes law, stronger state laws applying to all consumers will be thrown out and only victims will have the right to what will be a clunky, bureaucratic, 20th century security freeze.

   Recent laws enacted in New Jersey and Utah are 21st century laws, because they make the freeze fast and easy to use. Both states eventually establish an instant (15 minute) temporary thaw (lift). (And in New Jersey: Placing the security freeze is FREE; the bureaus can charge you up to $5 each when you wish to thaw it, but they cannot charge you to place the freeze.)

   Want to see how your member voted on the worst bill ever? Seventeen members voted with consumers, 48 voted against consumers. Final passage in committee is the vote chart here at the top of page 24 (1 page pdf excerpt from committee report with pro-consumer vote = NAY).

   The full committee report, with all votes, including the bill as amended in committee is here full committee report, with all votes, and the bill as amended is here (81 pages pdf)

   Security freezes give consumers real control over access to their credit report that no other identity theft prevention action provides them with. Your best defense is going to be a security freeze. A freeze prevents access to your credit report to new creditors. This closes a loophole that identity thieves have exploited, since most businesses will not issue new credit or loans to people without first reviewing their credit reports.

   Why shouldn't all consumers have the right to a free or low-cost consumer-friendly (easy-to-use) freeze?? Don't we need "instant privacy" to counter the risk that "instant credit" poses? And don't we need real protection-- protection that the Fair Credit Reporting Act says the credit bureaus should provide us anyway?

   All consumers should have the right to sleep at night without worrying about identity theft, by placing a freeze on their accounts. It's the only proven way to stop identity theft before it starts.