Identity Theft of Many SAIC Employees

Rick Zeman writes "In the wake of the Geoge Mason University identity theft comes another: SAIC, an employee-owned company, has had a break-in which '...netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.' These employees include anyone who's owned SAIC stock, and since it's an employee-owned company, that's most of them, including 'some of the nation's most influential former military and intelligence officials.'"

Ah, hell. What now?

[Ledneh]

One of my parents may have had their identity stolen in this incident. I sure hope not, but in any case... what now? What can be done to prevent the stolen numbers from being used illegitimately?

Why is this data not someplace safe?

[Fish+Heads]

So am I crazy, or shoudl these desktop machines not even be HOLDING this kind of data? Sensitive information (all business-related data in my opinion) belongs on the server, not on individual machiens. The server belongs in a secured, protected space. You should be able to lose all of your "personal" computers and only have the inconvenience of setting up new computers for those users. I would say that loss is the fault of poor IT practices.

Re:Why is this data not someplace safe?

[georgewilliamherbert]

So am I crazy, or shoudl these desktop machines not even be HOLDING this kind of data? Sensitive information (all business-related data in my opinion) belongs on the server, not on individual machiens. The server belongs in a secured, protected space. You should be able to lose all of your "personal" computers and only have the inconvenience of setting up new computers for those users. I would say that loss is the fault of poor IT practices.

You aren't crazy.

You're stretching a bit far... all business-related data covers everything on any computer in the company, and it's not reasonable to expect that there's never any local copy of data on any system in the company. Especially with mobile users, but also for network performance / employee usability reasons.

But key sensitive data, which does include employee files and shareholder identity info as well as key business sensitive data, should be kept on servers which are physically secure, because systems do walk away from offices.

There is a huge gap between IT typical practice and IT best practice in this area, though. Most businesses don't have nearly enough physical security for the servers, or for physical records (how many just have a toy lock on a filing cabinet with employee data?...).

Depending on your definition of neglegence, this either clearly wasn't (wasn't any worse than typical businesses) or could have been (a known risk which best practices clearly say not to do).

insider job?

[tuxette]

"...the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed.

They better start taking a good close look at their own...

Only that data?

[mmThe1]

Notice the irony:

"The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security."

Are we sure it's only the personal data that was compromised? One would be more worried about what *else* was uncovered by whoever-did-this.

"Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed."

Or is it the case that break-in was *detected* only in one of the buildings? They had to smash windows of the administrative building, to get the keys of the others?