"Why the hell was someone allowed to have all that data at home?" asked O'Pry, who is chief technology officer at The Henssler Financial Group in Kennesaw, Ga. "Surely, they must have had policies and procedures to prevent that. If they didn't, why not? And if they did, what sort of checks and balances did they have?"

O'Pry's sentiments were echoed by several other IT managers in the wake of the VA's disclosure last week that "electronic data" containing the unencrypted names, Social Security numbers and birth dates of all U.S. veterans discharged since 1975 was stolen during a burglary at the Maryland home of a data analyst who works for the agency.

VA officials said the analyst had legitimate access to the data at work but wasn't authorized to take it home. The agency didn't specify what kind of IT equipment was stolen, but the FBI and the VA inspector generals office jointly identified it as a laptop and an external hard drive.

The theft is one of the biggest data breaches reported thus far. But aside from its massive scope, the incident at the VA is no different from countless other compromises, and it points to a continuing failure by many organizations to implement well-understood controls on data transmission, access and storage, IT managers and security analysts said.

"What it comes down to is information life-cycle management," said Robert Garigue, chief security executive and vice president of information integrity at Bell Canada in Montreal. Far too often, companies focus solely on protecting their technology infrastructures, to the exclusion of ensuring that the information stored within them is safe from being illegally accessed or compromised, Garigue said.