That's about one of every 10 Americans.
And not Americans who did anything risky with their personal data. What they risked was their lives in the service of their nation. And the thanks they get is that the VA was sloppy with their information and it was stolen, and now they're left twisting in the wind.
And it shouldn't have happened. It was completely unnecessary.
Everyone knows the story from news reports by now: A VA employee, who was authorized to access the data only at the office, took it home. His computer was stolen in a burglary. The computer contained names, birth dates and Social Security numbers for everyone discharged from the U.S. military since 1975.
Now politicians are screaming for investigations and firings at the VA. That's the sort of feel-good blame-mongering that plays well in an election year.
Fire the employee who broke the rules? Sure. Fire the bureaucrats up the line, and scapegoat the political appointees at the top? Fine. But none of that will prevent this from happening again - at the VA or anywhere else.
There's a real solution to this problem. And once you politicians have finished your Memorial Day speeches, you have the power to make that solution a reality.
You just have to pass a law dictating that all U.S. government agencies protect Social Security numbers as sensitive information and make them available to employees only on a need-to-know basis.
That way, people like that VA employee wouldn't lose millions of Social Security numbers in a burglary. They wouldn't lose them because they couldn't take them home. They couldn't take them home because they'd never have access to them in the first place.
Do they need them? Of course not. No employee needs a pile of 26.5 million Social Security numbers. Most government employees don't use Social Security numbers for Social Security- or tax-related work anyway. It's just a convenient way to keep track of who's who, so they don't confuse one John J. Jones born on July 4, 1960, with another John J. Jones with the same birth date.
For that, all they need is a unique identifying number. Those are easy to generate. Lots of businesses that once used Social Security numbers as identifiers have replaced them with their own customer IDs. Federal agencies can, too.
This isn't a technical challenge. It requires a technical fix, but it's far easier than Y2k or Sarbanes-Oxley. Mainly it's a political problem: You lawmakers will have to find the will to do it.
So let's shave away the excuses.
Forget about some grand, unpassable law banning commercial use of Social Security numbers. Just tighten things up at federal agencies. That way you don't have to face lobbyists sobbing that their keepers can't afford the cost, or think-tankers whining about government interference in the private sector.
Forget about arguments that limiting use of Social Security numbers will hamstring law enforcement. If the FBI, CIA, NSA and IRS need to use them, they can. VA bureaucrats aren't on that list.
And forget about claims that restrictions will be hugely expensive or highly disruptive to agencies' work. The work-arounds are cost-effective. The employees can adjust.
Remember this: This Memorial Day, tens of millions of veterans who fought to protect this country have been left unprotected, exposed to identity thieves. And it will happen again - to them and to all of us - unless you do something about it.
Frank Hayes, Computerworld 's senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.