Slashdot Mirror
Identity Theft of Many SAIC Employees
Rick Zeman writes "In the wake of the Geoge Mason University identity theft comes another: SAIC, an employee-owned company, has had a break-in which '...netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.' These employees include anyone who's owned SAIC stock, and since it's an employee-owned company, that's most of them, including 'some of the nation's most influential former military and intelligence officials.'"
It happened to Thrupoint Inc. also (a NY security company). It really sucked.
Break-In At SAIC Risks ID Theft Computers Held Personal Data on Employee-Owners
By Griff Witte
Washington Post Staff Writer
Saturday, February 12, 2005; Page E01
Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.
The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security. It has a reputation for hiring Washington's most powerful figures when they leave the government, and its payroll has been studded with former secretaries of defense, CIA directors and White House counterterrorism advisers.
Those former officials -- along with the rest of a 45,000-person workforce in which a significant percentage of employees hold government security clearances -- were informed last week that their private information may have been breached and they need to take steps to protect themselves from fraud.
David Kay, who was chief weapons inspector in Iraq after nearly a decade as an executive at SAIC, said he has devoted more than a dozen hours to shutting down accounts and safeguarding his finances. He said the successful theft of personal data, by thieves who smashed windows to gain access, does not speak well of a company that is devoted to keeping the government's secrets secure.
"I just find it unexplainable how anyone could be so casual with such vital information. It's not like we're just now learning that identity theft is a problem," said Kay, who lives in Northern Virginia.
About 16,000 SAIC employees work in the Washington area.
Bobby Ray Inman, former deputy director of the CIA and a former director at SAIC, agreed. "It's worrisome," said Inman, who also received notification of the theft last week. "If the security is sloppy, it raises questions."
Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed. Haddad said the company does not know whether the thieves targeted specific computers containing employee information or if they were simply after hardware to sell for cash. In either case, the company is taking no chances.
"We're taking this extremely seriously," Haddad said. "It's certainly not something that would reflect well on any company, let alone a company that's involved in information security. But what can I say? We're doing everything we can to get to the bottom of it."
Gary Hassen of the San Diego Police Department said there were "no leads."
Haddad said surveillance cameras are in the building where the theft took place, but he did not know whether they caught the perpetrators on tape. He also did not know whether the information that was on the pilfered computers had been encrypted.
The stolen information included names, Social Security numbers, addresses, telephone numbers and records of financial transactions. It was stored in a database of past and present SAIC stockholders. SAIC is one of the nation's largest employee-owned companies, with workers each receiving the option to buy SAIC stock through an internal brokerage division known as Bull Inc.
Haddad said the company has been trying through letters and e-mails to get in touch with everyone who has held company stock within the past decade, though he acknowledged that hasn't been easy since many have since left the company.
He said the company would take steps to ensure stockholder information is better protected in the future, but he declined to be specific.
The theft comes at a time when the company, which depends on the federal government for more
The company has actually been very responsive to this. They sent out a mass email immediately and created a site of what happened and what to do on the company intranet two days later. They have issued updates, police reports, etc. nearly every day since.
I've occaisionally had issue with the company's size keeping it from being responsive, but this is one thing that got picked up very quickly.
I was running the software department for automated ordnance inspection systems around 15 years ago and and I've received no notice. Melvin Laird and Bobby Inman were among the SAIC employees at that time IIRC and I'll be they were notified.
Seastead this.
This was not a network intrusion, the article makes it clear that there was a physical breakin of the building, and that whole computers were stolen.
This is not identity theft (yet, anyway)... Stealing people's private data is a breach of security, but it doesn't become identity theft until that data is used in a fraudulent way.
Someone downthread asked how you can protect yourself... You can't protect your data on someone's system from being stolen, but you can make sure that no one is using your data. Keep track of your credit card bills and reiew your credit report (you can get those for free if you try) and you should be OK.
The difference is between someone looking into your apartment with binoculars when you change, and someone raping you.
Ecce Europa - Web Design for Business
Maybe it is time the Government tossed some heavy regulation out to require better e-security.
Maybe if you RTFA you would realize that e-security had nothing to do with it.
These computers were physically stolen. e-security would not have done a damn thing. physical security was, and is, the most fundamental thing that can be implemented.
Mit der Dummheit kämpfen Götter selbst vergebens.
I thought so too, until I once got bored and asked a Radio Shack drone about the SSN requirement for obtaining a cell phone through them.
He said that the rationale was as follows:
If you want to enter into a contract with Radio Shack (or whomever they are reselling service for), then you must provide a SSN.
Since it is a contract, they won't enter into it unless you provide your SSN. Thus, it is not illegal for them to deny you services, and you cannot compel them through the courts to enter into a contract. They'll just tell you to go to their competitor, who will require the same exact thing.
The biggest problem is that the SSN is considered "secret" anymore. It is not, and it should not be used as though it were.
If someone actually does try to steal their identity, you've got written proof that you alerted them to possible fraud beforehand, and that should make it easier to avoid any responsibility they may try to pin on you.
From a Canadian perspective...
Having had my identity stolen (social insurance number, etc.), the first thing to do is to contact one of the credit agencies. In Canada you need to contact Equifax and Transunion. (I believe that Equifax also operates in the US; don't get me started about the PATRIOT Act ramifications for Canadians because of this) They will flag your account so that any company that receives a request for new credit cards, etc. must phone you for confirmation.
Next, file a report with Phonebusters. They will add your info to a database (and nothing else... they do NOT investigate anything). File the same report with the RCMP's Report Economic Crimes OnLine. The RECOL file is more likely to be acted on since it will actually appear on some officer's desk, but don't count on it. Next, file an identical report with your local police. My experience with local cops is that they don't give a shit and in some cases will refuse to take a statement; force them to take your statement because it's essential to the next step and it is your right to do so. Get a copy of this report (one officer refused to give it to me; again, it's your right to have it. In the worst case you'll need to write to the police archive department for it) and head down to your local HRDC branch to get yourself a new Social Insurance Number. You need to bring a copy of the local police report with you. After that comes the fun part about updating your social insurance number with your bank, employer, credit bureau, etc.
Also, if any company phones you to verify whether you've made an online purchase (that you didn't make), play dumb and get as much info about the delivery location as possible before confirming that it was a fraudulant purchase. Dell's fraud department refused to give me this information after I confirmed that such a fraudulant transaction had been made, citing issues of "privacy". The police refuse to do anything because the fraud wasn't valuable enough. Don't assume for a minute that the cops or businesses involved are going to help you out... you will need to gather as much information about the scammer as possible in order to protect yourself from future scams.
The other respondent to your initial idiotic posting is correct. Most of the thousands of SAIC employees are just in fact normal, everyday US citizens who deserve this just as much as anyone else, which is to say not at all. Hopefully when you get a little more mature you'll learn what a bad idea it is to wish ill on others. Now go crawl back into the slime pit where you came from.
Surely they can't be a security-by-obscurity magic code that is used both as an identifier and as a password, so that possession of this single piece of information permits identity theft?
Of course they can! It's stupid, but there you have it.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
The way to change a corporate computing environment is to control the default options. Whatever's easier is what people will tend to use. Whatever's easiest to support will be made the most convenient option for users. Want control? Stay on the server side...
Do not mock my vision of impractical footwear
This is a case where the information was held by SAIC because it related to employees and shareholders (which in SAIC's case are also limited to employees). One way or the other, the SSN is needed for tax reporting purposes. It's not like we had a choice in this case. (Yes, I'm a former SAIC employee, and yes, I just set a fraud alert with the three credit reporting agencies.)
Having worked for them, I have to say I have already received a letter but if anything happens, I am holding them liable to maintaining the security of my personal information for any loss. If they aren't in the position to hold it securely and with respect then they should expect some grumbling for present and past employees.
I won't touch on my experience while working for them. I find the whole ownership thing to be overrated but that's me.