"After a Veterans’ Affairs employee improperly brought the material home." This phrase summarizes the #1 threat to personal data online: human recklessness. Not ignorance, as with any number of CGI and SQL injection exploits. Just simple, stupid recklessness with other people’s information.
Veterans’ Administration Secretary Jim Nicholson exposed his ignorance of the severity of the breach with this statement:
I want to emphasize there was no medical records of any veteran and no financial information of any veteran that’s been compromised.
This is simply not true. According to the AP article in front of me, the information compromised was for veterans who were discharged after 1975. The military has used Social Security numbers for soldier identification since the 1960’s. It is a crucial ingredient in any attempt to steal a person’s entire identity, for bank loans and credit cards, clean driving records, even forged documents for illegal aliens. As long as the Internal Revenue Service requires the SSN for its non-corporate tax forms, the SSN is financial information.
I am also waiting to find out how the "midlevel data analyst" was able to obtain unregulated access to production information. During project development, database administrators are supposed to supply bogus data. In this case, the developer should be using names like "Corporal Mickey Mouse" and "Sergeant Woody Woodpecker" with invalid SSN’s. Any access to production data should be tightly controlled; the DBA clearly shares some of the blame for allowing unfettered access to so much data during project development. As this incident shows, all the security in the world does no good, when incompetents are guarding the gold mine.
However, the bulk of the blame, and any subsequent punishment, belongs to the "analyst" who so obviously has no clue about data flow. This idiot should never again enjoy our liberties, the trust of whose defenders was so carelessly betrayed.