A veterans organization is suing the Pentagon for exposing private details about troops’ military service on “a truly massive scale” due to lax security on one of its websites.
The lawsuit filed by Vietnam Veterans of America charges that that a Defense Department website “is currently exposing private details about the military service of millions of veterans to anybody at all, anonymously, for any purpose.”
The shoddy security measures allow virtually anyone to access sensitive data about veterans’ records by typing in a name and date of birth, which are easily available on the internet, alleges the suit, which was filed last week in federal court in New York. This gives “easy access to information about essentially all veterans or service members in the system” and thus violates the Federal Privacy Act, the lawsuit says.
The Servicemembers Civil Relief Act website, which according to the Pentagon receives more than 2.3 billion searches a year, is meant to be used by authorized institutions like banks to confirm the active duty status that entitles service members to certain protections.
Instead, the information is available to con artists and scammers who can use it to impersonate government or other officials and gain veterans’ trust by discussing details of their service that only authorized organizations would have.
Thomas Barden, a veteran of the Vietnam War who served in the U.S. Air Force for 21 years, found that out firsthand.
The plaintiff in the suit received a call from someone supposedly affiliated with Microsoft in March 2016. Since the caller knew all kinds of personal details about Barden’s military service, Barden thought he was authorized by the government. The scammer convinced him his computer was at risk, and sold him firewall software to protect it. Nine months later, the scammer gained remote access to the computer, locked him out, and threatened to hold his files for ransom unless he paid up.
Worried about data theft, Barden broke the hard drive into pieces and was so concerned about his privacy that he threw them into different trash cans over several days. Since then, he has continued to receive harassing phone calls from the same scammers, causing him “significant anxiety and stress,” according to the lawsuit.
Impostor fraud and identity theft aside, the group says that Vietnam veterans in particular want to keep details of their military record private, having “experienced the sting of rejection and public scorn on account of their service.”
Since they draw a steady, guaranteed income from the government, veterans are an attractive target for scammers. The numbers have increased in recent years, from 58,175 complaints by veterans in 2014 to 69,801 in 2016, according to the Federal Trade Commission’s Consumer Sentinel Network.
“Veterans are disproportionately targeted by scammers and identity thieves,” Vietnam Veterans of America President John Rowan said in a statement.
The Pentagon “is fueling the problem by leaving veterans’ private information easily accessible on the internet (and) has refused to properly secure veterans’ information,” he said. “We are asking a court to order them to do so.”
The Defense Department has refused to make any changes since being alerted about the problems with the site, the suit says. It points out that the Defense Department could implement a strict user registration or online verification system, which are used by the Social Security Administration and the Department of Homeland Security.
The challenges of protecting the massive databases containing military records are not new. The Department of Veterans Affairs in particular has struggled with privacy issues.
In 2014, a joint Pentagon-VA benefits site had recurring issues with private information about veterans being disclosed to random visitors. The VA was also sued over a serious privacy breach in 2006, after an employee’s laptop was stolen that contained the private data of 26 million soldiers and veterans. The VA settled for $20 million for failing to protect their sensitive data.
In other cases, veterans expecting to receive their own healthcare records opened their mail only to receive hundreds of pages of someone else’s private data.
"I got 256 pages of another person's extremely confidential, extremely explicit mental health records," Anthony McCann, a veteran in Tennessee, told a VA town hall in 2014.
The VA is the health provider with the most privacy complaints in the country, racking up 220 complaints between 2011 and 2014 according to a ProPublica analysis. In one case, an employee accessed her husband’s medical records more than 260 times. Another employee shared a veteran’s private health information with his parole officer. In yet another case, a VA employee posted details of a patient’s health records on Facebook after opening them 61 times, according to documents posted by ProPublica.