Slashdot Mirror
Identity Theft of Many SAIC Employees
Rick Zeman writes "In the wake of the Geoge Mason University identity theft comes another: SAIC, an employee-owned company, has had a break-in which '...netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.' These employees include anyone who's owned SAIC stock, and since it's an employee-owned company, that's most of them, including 'some of the nation's most influential former military and intelligence officials.'"
OH YEA if they only used biometrics everything would be safe. It would be so much harder to steal that many thumbs
All i can say is: pwned!
I am getting SAIC of these criminals who steal identities and of the companies that help them. For our SAIC, companies who have such personal information & fail to secure it should be sued. I realize that is SAICriligious, but I don't care any more. Finding these criminals will be like looking for a needle in the haySAIC.
One of my parents may have had their identity stolen in this incident. I sure hope not, but in any case... what now? What can be done to prevent the stolen numbers from being used illegitimately?
"We are the Dyslexia of Borg. Your ass will be laminated. Futility is resistant."
It happened to Thrupoint Inc. also (a NY security company). It really sucked.
So am I crazy, or shoudl these desktop machines not even be HOLDING this kind of data? Sensitive information (all business-related data in my opinion) belongs on the server, not on individual machiens. The server belongs in a secured, protected space. You should be able to lose all of your "personal" computers and only have the inconvenience of setting up new computers for those users. I would say that loss is the fault of poor IT practices.
Time is the quality of nature that keeps events from happening all at once. Lately it doesn't seem to be working. -Anon
Break-In At SAIC Risks ID Theft Computers Held Personal Data on Employee-Owners
By Griff Witte
Washington Post Staff Writer
Saturday, February 12, 2005; Page E01
Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.
The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security. It has a reputation for hiring Washington's most powerful figures when they leave the government, and its payroll has been studded with former secretaries of defense, CIA directors and White House counterterrorism advisers.
Those former officials -- along with the rest of a 45,000-person workforce in which a significant percentage of employees hold government security clearances -- were informed last week that their private information may have been breached and they need to take steps to protect themselves from fraud.
David Kay, who was chief weapons inspector in Iraq after nearly a decade as an executive at SAIC, said he has devoted more than a dozen hours to shutting down accounts and safeguarding his finances. He said the successful theft of personal data, by thieves who smashed windows to gain access, does not speak well of a company that is devoted to keeping the government's secrets secure.
"I just find it unexplainable how anyone could be so casual with such vital information. It's not like we're just now learning that identity theft is a problem," said Kay, who lives in Northern Virginia.
About 16,000 SAIC employees work in the Washington area.
Bobby Ray Inman, former deputy director of the CIA and a former director at SAIC, agreed. "It's worrisome," said Inman, who also received notification of the theft last week. "If the security is sloppy, it raises questions."
Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed. Haddad said the company does not know whether the thieves targeted specific computers containing employee information or if they were simply after hardware to sell for cash. In either case, the company is taking no chances.
"We're taking this extremely seriously," Haddad said. "It's certainly not something that would reflect well on any company, let alone a company that's involved in information security. But what can I say? We're doing everything we can to get to the bottom of it."
Gary Hassen of the San Diego Police Department said there were "no leads."
Haddad said surveillance cameras are in the building where the theft took place, but he did not know whether they caught the perpetrators on tape. He also did not know whether the information that was on the pilfered computers had been encrypted.
The stolen information included names, Social Security numbers, addresses, telephone numbers and records of financial transactions. It was stored in a database of past and present SAIC stockholders. SAIC is one of the nation's largest employee-owned companies, with workers each receiving the option to buy SAIC stock through an internal brokerage division known as Bull Inc.
Haddad said the company has been trying through letters and e-mails to get in touch with everyone who has held company stock within the past decade, though he acknowledged that hasn't been easy since many have since left the company.
He said the company would take steps to ensure stockholder information is better protected in the future, but he declined to be specific.
The theft comes at a time when the company, which depends on the federal government for more
The company has actually been very responsive to this. They sent out a mass email immediately and created a site of what happened and what to do on the company intranet two days later. They have issued updates, police reports, etc. nearly every day since.
I've occaisionally had issue with the company's size keeping it from being responsive, but this is one thing that got picked up very quickly.
They better start taking a good close look at their own...
People say I'm crazy, I got diamonds on the soles of my shoes...
This was not an "identity theft." A theft is an unauthorised taking or use of someone else's property with the intent to permanently deprive the owner or the person with rightful possession of that property or its use. Here, no one was deprived of her identity so it was not a theft. It was impersonation. This mistake may seem innocent but the problem is that if we frivolously use the words "theft" and "stealing" in such an irresponsible way, we are more likely to let the newspeak like "intellectual property" and "software piracy" slip under the radar. Editors, please correct that error in the story. Let us not take part in the corporate brainwashing. We should be more responsible than that if we don't want to be mindless tools of the "everything is property, doing anything is theft" propaganda.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Someone is going to lose his or her job. We all know that operating systems and applications have bugs. However, most of the break ins are because of unpatched or misconfigured systems, which are administrator faults. 99.99999999999999% of bad guys are too lazy to find holes themselves like Kevin Mitnick did when he broke into Sun to get Solaris and find security bugs. So, they use what is known. Admins must use what it is known to fix those problems.
Notice the irony:
"The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security."
Are we sure it's only the personal data that was compromised? One would be more worried about what *else* was uncovered by whoever-did-this.
"Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed."
Or is it the case that break-in was *detected* only in one of the buildings? They had to smash windows of the administrative building, to get the keys of the others?
'some of the nation's most influential former military and intelligence officials.'
Maybe this is just the thing we need to make people get serious about privacy.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
He said the successful theft of personal data, by thieves who smashed windows to gain access
It looks like Microsoft will be blamed again!
One man's Funny is another man's Offtopic.
It is on the increase in the UK as it is. Identity theft is one of the major problems the authorities here have to deal with, and there's even a new advertisment series out to promote awareness, with the celebrity "glamour" touch. The very fact that details of such importance can be stolen is the very thing that baffles me about this though. Surely greater security should be taken? Or has someone managed to place revenue under consumer, staff and company safety? Another day, another... blunder.
I was running the software department for automated ordnance inspection systems around 15 years ago and and I've received no notice. Melvin Laird and Bobby Inman were among the SAIC employees at that time IIRC and I'll be they were notified.
Seastead this.
I don't mean to be a troll, but I'm overjoyed by this news. Normal, everyday US citizens have been getting screwed over by identity theft for years, now.
In the aftermath of this, hopefully some governmental officials will start learning why using only semi-private identifiers like "Social Security numbers and other private information" is so bad for us.
Uh oh, someone knows my social security number and credit card information. Just like pretty much every creditor I have. I guess that means I can't use my name and likeness any more since it's been stolen from me.
What was wrong with the good old days where they just called it "credit card fraud"?
I don't like defending companies, but in this one instance I will. Companies are not responsible for military type security. I don't want to have to pay an extra 10% for my car so Ford can pay network security people outrageous salaries to protect my costumer information. It is extortion by the computer security people. Maybe the state needs to start licensing computer security people, they way states license other professionals. By doing so, anyone who wants to get a job working with netowrk security would be known by the state. Buisnesses would be prohibited from hiring non-licensed people, so the wanna-be hacker either has to register or forgo the potential six figure salary. Then catching these people might not be so hard.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
I am suprised how many people give out their SSN# to anyone who seems legitimate and asks. I never give them out, and you should not either. There is only one reason by law a company can have your SSN#, and that is for paying taxes. If your relationship with the organization does not include paying taxes, then refuse to give them your SSN#. If they deny services, you can sue, it is illegal for them to force you to give them your SSN#. This goes for colleges too, you don't have to give them your SSN#, and they will have to give you a different ID.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
This is not identity theft (yet, anyway)... Stealing people's private data is a breach of security, but it doesn't become identity theft until that data is used in a fraudulent way.
Someone downthread asked how you can protect yourself... You can't protect your data on someone's system from being stolen, but you can make sure that no one is using your data. Keep track of your credit card bills and reiew your credit report (you can get those for free if you try) and you should be OK.
The difference is between someone looking into your apartment with binoculars when you change, and someone raping you.
Ecce Europa - Web Design for Business
Patiently waiting for it to dawn on the other half of the posters that it was not a software vulnerability but a physical break in ...
I get the part about not having sensitive information on individual machines. But the server has to give out data to these machines for normal buisness. If I am in billing, I will need some of the customer data from the server. What is to stop someone from just sniffing the data?
Having worked at a few companies, I know employees will find ways to get around this. I knew one place that did keep customer information on a server, and the server was so slow getting any queries processed. So you know what employees did? They used a function which allowed parts of the database to be downloaded into spreadsheets, which they kept on their desktop computer. They figured it was quicker to do one download than to wait 1-2 minutes for each query.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
no notice received here either, and i live in san diego....
if it's found out that this stolen computer was ripe for the picking, i hope to see this in court. it's high time companies pay for not securing data( physically and electronicly ). and that includes using crappy microsoft products.
i know for a fact that a major credit card company is using ms-ie on its clerks desktops for both www browsing and cc account access. security be damned.
SAIC is also the company responsible for the FBI's Virtual Case File debacle. They've just been soaking in the good news all year long!
Hooray for security!
Yeah, i thought this was a network break in until i read the article ... and then, the fact that this happened (the theft of *physical* computers) just blew my mind. i mean, damn. i work for a medium sized company (200 emp) that doesn't do anything sensitive of this nature, but damned if i could get anywhere near our servers without dismantling the building. It will be interesting to see who gets the axe for this mess.
My Mother is one of the employees on the list. She told me that all of that sensitive info was stored on a laptop. Knowing that much, it's highly unlikely that the data was encrypted. Even a newbie system administrator should know that such data should be on a server that is in a locked, climate controlled room with no windows. SAIC is lucky that their stock is not controlled by the market, cause this sure casts doubt on their competence in computer security.
Who is SAIC? Spell "SAIC" backward for a clue left in plain sight.
... what this American obsession with secrecy of "social security numbers" is?
Surely they can't be a security-by-obscurity magic code that is used both as an identifier and as a password, so that possession of this single piece of information permits identity theft?
Assuming that it isn't, why do people get so worked up about it?
(And if it is, well, how daft is that ?!!*?!?**!!?)
I know its newsworthy but SAIC has already notified by various means all those employees and former empolyees it could reach...you are just spreading the word to anyone who knows where identity info gets fenced.
The stolen info includes our bank account numbers for those of us who set up funds transfers for our ESP accounts...we are, or we should, be running arond like crazy now, checking credit bureau reports and clamping addtional pass phrases, and putting fraud watches on all our accounts...this sucks in spades and we really don't need MORE publicity just now.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
It took five clicks to find this -- SAIC: Science Applications International Corporation
/.'ers gt trd of dling w/ thm.
Too many acronyms in the bus. wld. I wsh it wld stp.
Oooh so harsh. I'm sure in your world they will go to prison with the commies and pinkies and terrorists and lefties and hippies etc etc. yawn
You didn't even read the article anyway. No one 'broke into' a computer. They stole them. Physically. Burglary is the crime. The speculation is about ID theft and why such sensitive info was lying around on workstations.
I stand by what I said. It is a problem with the system. Endless tough new laws will do nothing save give Right wing maniacs and Bush adorers a false sense of security. Personally I think you are a troll.
It seems that some of you are living under the delusion that it would be hard to run away with this kind of info. As a Financial Aid Advisor at a university i can tell you that with my database access, a database access that you can recieve with an 6 doller an hour work study position, you could run away with more than 50,000 ssn, phone numbers, all the information posted on the FAFSA (which is pretty much a rehash of your tax return) I think screaming, WHY DIDN'T THEY HAVE THE SAFEGUARDS IN PLACE, is being pedantic. noone is doing anything to keep your info safe. I'm sorry.
I think there may come a day when the only way to securely store data is to physically disconnect it from the 'net. Perhaps an either-or solution would work. Intranet OR Internet, but never both, To connect to the database server, someone must, using their actual hands, flip the switch between the two. Make the computer itself either a dumb terminal, or just give it no execution priveleges for the intranet to prevent resident programs from crossing over.
1-2 minutes per query? Dear god. what were they using for a db server, a 386?
Or did htey just have a copious number of users (all of which did frequent queries)?
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Actually, I was involved with the initial U of IL prototype of the SAIT plasmascope back in 1975 (doing a 3D demo) during which transpants from the PLATO project to (then) SAI got small amounts of early stock before moving on to other jobs. I'm sure most of them haven't been notified and some of them have dropped off he radar completely.
Seastead this.
Break in was only discovered when a security patrol noticed the smashed glass during a normal patrol. The break in may have happened between 1 am and 4 am. I assume any burglar alarm would respond in fewer than 3 hours
it's not reasonable to expect that there's never any local copy of data on any system in the company.
.. its entirely the 'reasonable' nature of the situation that led to this disaster in the first place.
umm
policy is there for a reason. enforced policy - i.e. no sensitive data on un-secured, non-ops room computers - is also there for a reason.
enforced policy of this nature would have prevented this occurring. its precisely for 'reasonableness' that allows these circumstances to occur.
you might be saying "absolutes aren't", but absolutely: a well-enforced ops-room policy on protected data, is as absolute as you can get in the computer world.
what is negligent about this situation, is the policy. completely negligent policy led to this disaster, nothing less..
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
...but this was a physical break-in in which a computer was actually stolen from a building.
;o)
Just goes to show that security policies need to be multi-faceted, not just concerned with firewalling from the internet. You need to look at physical access to machines, both from employees and potential intruders.
We co-lo in several data centres and all of them, without fail, have physical security that would put the american embassy in kabul or baghdad to shame
I am NaN
For one thing, get off your bloody high horse about what theft does and doesn't mean. It's old, it's semantic hair-splitting, and it sounds like you're ready for your spot in the Cranky Old Unix Hackers Home.
Second, it's only impersonation if someone uses the identity to actually impersonate someone else. Stealing information, which often happens as an unintended consequence when someone steals the hardware it's on, in no way proves or implies that that data will be used as you suggest.
Nobody ever gets to see the server. The database is Oracle, and it is located somewhere off site. When it does not work, we have a phone number we call for tech support. We leave a message, and if we are lucky someone will call back within an hour. The web interface to the database is proprietary, and is serviced by a consulting company. The tech guys I talked with were all smart, but most of the time the anwser was the same thing, "try again later".
The problem is the database is just too big for all the data. There must be over a million customers in the database, and most of those customers in the database have nothing to do with my region. The other problem is the requests time out too often. It sucks waiting 2 minutes to get an error page. That is why most people, either very early in the morning, or when they leave the office, will download large chunks of the database on their desktop, so they won't have to wait.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
The stolen info includes our bank account numbers for those of us who set up funds transfers for our ESP accounts...we are, or we should, be running arond like crazy now, checking credit bureau reports and clamping addtional pass phrases, and putting fraud watches on all our accounts...this sucks in spades and we really don't need MORE publicity just now.
One key thing pointed out in the article is how many SAICers they haven't been able to get in touch with. To me (I was the submitter), that meant that this info should be disbursed far and wide to alert all of the potential victims. The thieves, presumably, know what they have and know what to do with it.
All they had to do to get in was break a window? Yeah, that's some impressive security demonstrated by a fucking government contractor.
Reminds me of the Simpsons episode where Burns has to go into the control room to shut down the power plant. He passes through a bunch of high-security measures and gets into the room, only to find a dog in there who entered through an open screen door on the far wall.
The people who talked to the press didn't know if the data had been encrypted. At a quick guess, I'd say that if someone could say that it was encrypted that info would have been passed on to the PR geeks, so I'm betting 75/25 that the data was cleartext.
Free Software: Like love, it grows best when given away.
it's interesting to see that companies with sensitive information still don't realize that all the fancy tech gizmos in the world won't stop someone from walking off with your box...
Get your torrents...
When I started working at the state AG's office they were just completing the job of putting up bulletproof glass in the lobby of the building. You had to have an RFID access card to get in, etc.
One day I'm in the deputy chief of BCI's office and I see this piece of glass that's about 1/2" thick with pieces of masking tape next to all sorts of fractures, etc. indicating the caliber and weapon type.
Apparently he'd taken it home and tested it. The only thing to pierce it was a rifle round, everything else, including a shotgun just wasn't powerful enough.
Then I mentioned to him that all the windows on the front of the building, particularly in the BCI unit were nothing but plain old glass laminate.
There were some embarassed people after that little comment.
My rating in the eyes of the former law enforcement folks went up several notches because of that comment. They even used to take me with them and let me qualify at the gun range whenever they went. I was already pretty good, but with some expert guidance got even better.
Just goes to show that you cannot cover all security concerns.
This is a very good point. We shouldn't misuse the language like that. RIAA only waits for it.
A quick googling listed a recent /. discussion as the first link. Could this be a step towards doing the same thing to the United States? It seems like exactly the kind of data that would be necessary to tie in information from other sources.
With the potential to store terabytes in a desktop computer (and terabytes more on media), it's possible to transport the data of entire organizations, corporations, and governmments around. For large amounts of data, probably easier and a whole lot cheaper, too. Just ask Netflix and the USPS.
"Never underestimate the bandwidth of a station wagon..."
I'd rather this was publicized.
Unfortunately...
The only way to get companies to take security seriously is to embarass them.
The only way to get companies to protect their consumers is to make it very dangerous economically for them to operate if the public is aware they have problems with security.
The only way to get government to crack down on criminals engaging in this activity is to get corporations very concerned about the economic implications of these breeches and therefore put (the most effective) pressure on government and law enforcement. If it were up to the average citizen to lobby government for improvement in this area, we'd be even worse off.
It sucks if you're the company being exposed, but it's better in the long run for everybody.
Anyway, Biometrics isn't the final solution : as stated in another topic, get your fingerprint owned once, and you'll never be safe again.
Sig (appended to the end of comments you post, 120 chars)
I won't go into details, but I will say my experiences with the company were very disappointing. One of the supposed benefits of working for an employee owned company is opportunity for mobility within the company if the project or contract a person is working on does not get picked up again. Not exactly what I saw. There was no perceived benefit to being an employee going for a position vs. being someone off the street.
I was surprised about some of the things in the article, and that problems with SAIC contracts are a lot more widespread than what I thought.
IMO, if the founder saw what his creation had become, he'd be livid. I really believe the founder started things with the right idea and concept, things just haven't stayed with his vision.
SAIC receives $4B contract to develop Identity Theft tracking system.
I happen to work for this great company and I must say they have handled this situation with the utmost professionalism. They have people dedicated to help anyone affected by this.
People in the identity markets, just like every other market for stolen goods, have their own channels to let their customers know when there's a new batch of data available. I'm reasonably certain that Slashdot and the Washington Post aren't among them. If the stolen information was sold, it probably hit the market and was gobbled up long before the Post heard about it. Spreading the word means the former employees SAIC couldn't reach have a better chance of not being burned by this gaffe.
You're not one of those folks who believes that people who point out obvious, gaping holes in airport security are giving terrorists a roadmap for their next attack, are you?
Yes, it does, and I'm sorry you're having to be put through all of the inconvenience of double-checking the safeguards on your finances. It's a big pain in the ass.
Why? Because it will reflect poorly on SAIC's ability to safeguard employee information and lead to questions about how it protects sensitive information provided by its customers? Well, those questions should be asked. Federal contractors screw up all the time on the taxpayer's nickel and walk off having made a tidy profit. SAIC goofed, and it's going to have to live with the possible impacts to its bottom line.
As a stockholder, you should be hopping mad about this. If SAIC were a public company, I can almost guarantee Wall Street would react negatively. Perhaps the thing to so would be for you and your fellow stockholders to force the board to hold the butts of Ken Dalhberg, Duane Andrews, Tom Darcy and John Warner in a sling until they can explain why this happened and provide regular, outside-verified reports on what they're doing to make sure it won't happen again.
With so much semi-private information available (all credit cards, bank accounts, eyc), it is a wonder that vendors and providers of credit use the stuff to identify their customers. How about a "better" way?!?
Lost in space at an early age. Survived the vacuum. Now rebuilding castle in air.
Clown. It's the pantyhose troll again, and you bought it. Look at the user name.
What's the real teeth grinder on this one is that many employees had direct deposit for their stock transactions. They lost bank account numbers, tracking numbers, the whole enchilada.
It does seem remarkable that information of that sensitvity was on Windows and unencrypted. And a company that specializes in building information systems for the government. Astonishing. Doesn't matter how good your password security on Windows. Anyone can crack a Winblows box they have physical control of in five minutes.
Trustworthy computing strikes again. But it's not all MSFT's fault this time.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Encrypted filesystems may not do anything for a running computer that has the filesystems mounted and gets a root compromise, but in the case of where a computer is turned off and physically stolen, the stealie should be out of luck. Some heads are going to roll over this one you can bet on it. I Can't imagine a reason why that sensitive information wouldn't or shouldn't be encrypted?
My last employer's payroll contractor suffered a break-in similer to this. It appears to have been an inside job, since whoever did it managed to bypass three locked doors, a security system, and two armed guards on the building's only entrance. It appeared that they were only after the hardware, but it was treated as ID theft because of the nature of the data it contained.
We were advised to put fraud alerts in with the credit reporting agencies, get copies of our reports, and then do it again in three months. No one ever used my ID information, but I'm still getting a credit report regularly just because there might be a copy floating around.
It's good to use your head, but not as a battering ram.
You are being MICROattacked, from various angles, in a SOFT manner.
...why so many people here seem to have very strong objections to identity cards being implemented in the US, looking at the way SSN has been implemented and used.
Identity cards and identity numbers have been implemented successfully in many other countries. The trick, of course, is that everyone understands that the ID is not a secret, but just an identifier. It cannot be used to verify someone's identity by just producing the number. Once that is understood, that solves most so-called identity theft problems we keep hearing about.
Having worked for them, I have to say I have already received a letter but if anything happens, I am holding them liable to maintaining the security of my personal information for any loss. If they aren't in the position to hold it securely and with respect then they should expect some grumbling for present and past employees.
I won't touch on my experience while working for them. I find the whole ownership thing to be overrated but that's me.
In general, you want enough information about yourself to make it unlikely that anyone would be able to impersonate you. I wouldn't mention your name (not because of identity theft, but as a general rule).
Also, call all your current credit card companies and tell them your identity was stolen, and that requests for change of address must be made in writing, with verification sent to your home address before the request is granted.
Finally, opt-out of pre-approved credit offers. This is so that the thief won't start receiving these offers in your name.
None of these are guaranteed, but they're good ideas anyway.
I used to work for SAIC and I have to hear about this on /. almost 3 weeks after the fact.
I've already googled what I need to do. I was disappointed with SAIC as a company, but they were reasonably generous back when I worked for them. Oh well.
You must be kidding. SAIC is a body shop just like EDS....
As a SAIC employee this just blows. I had to put a ID theft warning on my credit. This story took a long to come out! This took place weeks ago and we where warned about this over 2 weeks ago! hehe
i've been with SAIC for 4 years now, started off good but now it pretty much sucks. This is the icing on the cake.. i'll wager NO ONE gets fired over this (the CFO and/or CTO should resign). There's not much accountability at SAIC, dumb people just get promoted. I'll be leaving soon, F'em.. and if i get ID theft becuase of this i'll be lining up to sue those stupid f%$k's.
The first rule of security is that the computer is only as secure as its physical location. It is really astounding that people configure a server as the electronic equivalent of Fort Knox and then keep it in room where everyone, including the janitor, has access. Is it any wonder that we hear about these smash and grab thefts so often?
"Social Insecurity Number", that's how it should be called.
At least in France we don't have such a universal identifier. Our "social security number" is used only for administrative purpose related to health.
Public Treasure, other administrations, banks and private companies have each their own numbers.
Here is what they can do to minimize their pain:
- Put a 90-day fraud alert on all three of their credit files. This can be done over the phone immediately using their automated system.
- When they do this, they will get a free copy of their credit reports from all three bureaus. They need to read these reports with a fine-toothed comb and report any inaccuracies (reporting is a pain in the ass... sorry...)
- Put a 7 year fraud alert on all three bureau files.
- Repeat step 2 every six months (pulling a credit report and reporting any inaccuracies).
This regimen is not going to prevent any abuse of their identities. Even with the fraud alert, it's about 25% of the time that anyone even reads that when they pull my credit. But it helps a little. At any rate, this is how to minimize their headaches.BTW, I know that there are services out there that promise to do all this for you. I don't know if they have gotten any better, but I used PrivacyGuard for a while, and they totally missed two fraudulent credit accounts getting opened in my name. So save your money and do the legwork yourself. :-(
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
The problem is the database is just too big for all the data. There must be over a million customers in the database, and most of those customers in the database have nothing to do with my region.
Sounds like a partitioned key and some judicious where clauses would help a lot.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
For instance, at Booz Allen, it would not have been too difficult to walk off with an unclass computer or two, but to get to any classified materials, you would have had to get into the SIPR lab which does not have any windows, but it does have a reinforced door with multiple requirements to unlock it. Not everyone with clearance is even able to open it. And that room was like the Hotel California. Things may go into the lab, but nothing ever leaves.
So I agree that SAIC's handling of their employee's sensitive data was pretty pathetic, I'm just telling you that if they treated the US Government's sensitive data in such a manner, people would be in jail over it.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
The real question is: How can a company whose main areas of work include IT and security have had such lax IT Security policies for itself? (he asks as he posts anonymously through https.)
AFAIK, partly from having looked at jobs with them (and finding every single job wants a security clearance), SAIC does almost *nothing* that's not intelligence- or military-related.
Don't y'all feel *so* secure?
ROTFLMAO!!!
mark
This is identity theft. Goto www.consumer.gov/idtheft to find out how to report it.
I wound up being exposed in this theft. Used to be an employee. Sucks. Would not be surprised to get caught in the Choicepoint theft too. The SAIC folks did the righteous thing though, sent us email a couple days before making the public announcement.
;-)
I have begun to opt out anywhere I have the choice to not divulge my SSN. Try it sometime it's not easy or fun to have people hang up on ya. Most times I can do it, but I almost always have to discuss it with a supervisor.
One other comment on this. I think the original SSA enabling legislation made it illegal to use SSN as a form of identification, yet today, you don't easily take a leak without it (think about it, every credit/debit card transaction, check etc is recorded with it.) And... you have very little choice in the matter. Your drivers license, even if not printed with it (a difficult proposition in some states) is registered against your SSN.
Now for the irony: Call Equifax, etc... to register a fraud alert... you get a blind number, voice mail hell thing (no humans), which asks you to blindly plug in (guess now) your SSN for them to record the fraud alert against, and asks for your phone number, birthday, etc.... what a system.
Yet you don't own one bit of the information stored there, you don't have any right to tell them to pull it, no real significant legal teeth to bite anyone with (although you do have a right to see it for free [in some states]). Hey businesses own the information, and the revenue stream, and interestingly I found the same is true for your medical records. You think you own it??? Wrongo, the insurance company and Doctor own it, and short of the legal restrictions imposed by HIPAA,they can use it however they choose, including denying it to others against your will.
Sheeple will be sheeple.
mdw