Identity Theft of Many SAIC Employees

Rick Zeman writes "In the wake of the Geoge Mason University identity theft comes another: SAIC, an employee-owned company, has had a break-in which '...netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.' These employees include anyone who's owned SAIC stock, and since it's an employee-owned company, that's most of them, including 'some of the nation's most influential former military and intelligence officials.'"

SAIC & tired of criminals

[dotslashdot]

I am getting SAIC of these criminals who steal identities and of the companies that help them. For our SAIC, companies who have such personal information & fail to secure it should be sued. I realize that is SAICriligious, but I don't care any more. Finding these criminals will be like looking for a needle in the haySAIC.

Ah, hell. What now?

[Ledneh]

One of my parents may have had their identity stolen in this incident. I sure hope not, but in any case... what now? What can be done to prevent the stolen numbers from being used illegitimately?

Re:Ah, hell. What now?

[AKnightCowboy]

One of my parents may have had their identity stolen in this incident. I sure hope not, but in any case... what now? What can be done to prevent the stolen numbers from being used illegitimately?

Nothing. It's a stupid system, but it's all we've got. Your SSN is a secret password that holds the key to your credit and identity, but thousands of people already know it. Sleep tight.

Re:Ah, hell. What now?

[Kalewa]

With the usual IANAL disclaimer I'd say notify any credit agencies you deal with about the possible theft of your identity. Do it in writing and make sure you've got records of it.

If someone actually does try to steal their identity, you've got written proof that you alerted them to possible fraud beforehand, and that should make it easier to avoid any responsibility they may try to pin on you.

Re:Ah, hell. What now?

From a Canadian perspective...

Having had my identity stolen (social insurance number, etc.), the first thing to do is to contact one of the credit agencies. In Canada you need to contact Equifax and Transunion. (I believe that Equifax also operates in the US; don't get me started about the PATRIOT Act ramifications for Canadians because of this) They will flag your account so that any company that receives a request for new credit cards, etc. must phone you for confirmation.

Next, file a report with Phonebusters. They will add your info to a database (and nothing else... they do NOT investigate anything). File the same report with the RCMP's Report Economic Crimes OnLine. The RECOL file is more likely to be acted on since it will actually appear on some officer's desk, but don't count on it. Next, file an identical report with your local police. My experience with local cops is that they don't give a shit and in some cases will refuse to take a statement; force them to take your statement because it's essential to the next step and it is your right to do so. Get a copy of this report (one officer refused to give it to me; again, it's your right to have it. In the worst case you'll need to write to the police archive department for it) and head down to your local HRDC branch to get yourself a new Social Insurance Number. You need to bring a copy of the local police report with you. After that comes the fun part about updating your social insurance number with your bank, employer, credit bureau, etc.

Also, if any company phones you to verify whether you've made an online purchase (that you didn't make), play dumb and get as much info about the delivery location as possible before confirming that it was a fraudulant purchase. Dell's fraud department refused to give me this information after I confirmed that such a fraudulant transaction had been made, citing issues of "privacy". The police refuse to do anything because the fraud wasn't valuable enough. Don't assume for a minute that the cops or businesses involved are going to help you out... you will need to gather as much information about the scammer as possible in order to protect yourself from future scams.

Re:Ah, hell. What now?

[timeOday]

Our system is totoally screwed up. On the one hand, we have no control about what data people collect about us - whoever collects it owns it, and we have no say. On the other hand, if that data is compromised and hurts us, now who is accountable? The owner of the data? No, the individual has to go to all the trouble and expense of cleaning up after the company's screwup.

thief

It happened to Thrupoint Inc. also (a NY security company). It really sucked.

Why is this data not someplace safe?

[Fish+Heads]

So am I crazy, or shoudl these desktop machines not even be HOLDING this kind of data? Sensitive information (all business-related data in my opinion) belongs on the server, not on individual machiens. The server belongs in a secured, protected space. You should be able to lose all of your "personal" computers and only have the inconvenience of setting up new computers for those users. I would say that loss is the fault of poor IT practices.

Re:Why is this data not someplace safe?

[georgewilliamherbert]

So am I crazy, or shoudl these desktop machines not even be HOLDING this kind of data? Sensitive information (all business-related data in my opinion) belongs on the server, not on individual machiens. The server belongs in a secured, protected space. You should be able to lose all of your "personal" computers and only have the inconvenience of setting up new computers for those users. I would say that loss is the fault of poor IT practices.

You aren't crazy.

You're stretching a bit far... all business-related data covers everything on any computer in the company, and it's not reasonable to expect that there's never any local copy of data on any system in the company. Especially with mobile users, but also for network performance / employee usability reasons.

But key sensitive data, which does include employee files and shareholder identity info as well as key business sensitive data, should be kept on servers which are physically secure, because systems do walk away from offices.

There is a huge gap between IT typical practice and IT best practice in this area, though. Most businesses don't have nearly enough physical security for the servers, or for physical records (how many just have a toy lock on a filing cabinet with employee data?...).

Depending on your definition of neglegence, this either clearly wasn't (wasn't any worse than typical businesses) or could have been (a known risk which best practices clearly say not to do).

Re:Why is this data not someplace safe?

[xC0000005]

Welcome to what happens when IT grows instead of being designed. The same sort of issue is what causes a large retailer to use a 4 port linksys hub as the central point of their network, what causes a major company to use an employee's backup machine as the webserver (leading to an outage when someone accidentally kicks a cable while listening to music), or what makes an email server out of a abandoned machine in a hallway (with power cords going to one office, network to another).

It's because it grows.
"We needed another email server, and..."
"We didn't have a web site, and ..."
(I have no idea about the hub. I can say it was doing very well for the demand placed upon it.)

I've seen this far too much, usually when someone didn't plan, and someone else acted.

Re:Why is this data not someplace safe?

[Stephen+Samuel]

Depending on your definition of neglegence, this either clearly wasn't (wasn't any worse than typical businesses) or could have been (a known risk which best practices clearly say not to do).

This is a company that regularly does high-security work, and hires people like former CIA directors. They work with sensitive and secret data on a regular basis.

There is no defence of ignorance here. People who regularly handle secret (and above) data did a bad job of protecting sensitive data. I'd say that this bodes ill for the truly secret data that they have at other sites.

Re:Why is this data not someplace safe?

[winwar]

"People who regularly handle secret (and above) data did a bad job of protecting sensitive data. I'd say that this bodes ill for the truly secret data that they have at other sites."

Not necessarily. Think of it this way. What exactly is the penalty for doing a bad job of protecting personal data? Versus secret and above data?

Article

[prurientknave]

Break-In At SAIC Risks ID Theft Computers Held Personal Data on Employee-Owners
By Griff Witte
Washington Post Staff Writer
Saturday, February 12, 2005; Page E01


Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.

The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security. It has a reputation for hiring Washington's most powerful figures when they leave the government, and its payroll has been studded with former secretaries of defense, CIA directors and White House counterterrorism advisers.

Those former officials -- along with the rest of a 45,000-person workforce in which a significant percentage of employees hold government security clearances -- were informed last week that their private information may have been breached and they need to take steps to protect themselves from fraud.

David Kay, who was chief weapons inspector in Iraq after nearly a decade as an executive at SAIC, said he has devoted more than a dozen hours to shutting down accounts and safeguarding his finances. He said the successful theft of personal data, by thieves who smashed windows to gain access, does not speak well of a company that is devoted to keeping the government's secrets secure.

"I just find it unexplainable how anyone could be so casual with such vital information. It's not like we're just now learning that identity theft is a problem," said Kay, who lives in Northern Virginia.

About 16,000 SAIC employees work in the Washington area.

Bobby Ray Inman, former deputy director of the CIA and a former director at SAIC, agreed. "It's worrisome," said Inman, who also received notification of the theft last week. "If the security is sloppy, it raises questions."

Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed. Haddad said the company does not know whether the thieves targeted specific computers containing employee information or if they were simply after hardware to sell for cash. In either case, the company is taking no chances.

"We're taking this extremely seriously," Haddad said. "It's certainly not something that would reflect well on any company, let alone a company that's involved in information security. But what can I say? We're doing everything we can to get to the bottom of it."

Gary Hassen of the San Diego Police Department said there were "no leads."

Haddad said surveillance cameras are in the building where the theft took place, but he did not know whether they caught the perpetrators on tape. He also did not know whether the information that was on the pilfered computers had been encrypted.

The stolen information included names, Social Security numbers, addresses, telephone numbers and records of financial transactions. It was stored in a database of past and present SAIC stockholders. SAIC is one of the nation's largest employee-owned companies, with workers each receiving the option to buy SAIC stock through an internal brokerage division known as Bull Inc.

Haddad said the company has been trying through letters and e-mails to get in touch with everyone who has held company stock within the past decade, though he acknowledged that hasn't been easy since many have since left the company.

He said the company would take steps to ensure stockholder information is better protected in the future, but he declined to be specific.

The theft comes at a time when the company, which depends on the federal government for more

SAIC

[ArmenTanzarian]

The company has actually been very responsive to this. They sent out a mass email immediately and created a site of what happened and what to do on the company intranet two days later. They have issued updates, police reports, etc. nearly every day since.

I've occaisionally had issue with the company's size keeping it from being responsive, but this is one thing that got picked up very quickly.

insider job?

[tuxette]

"...the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed.

They better start taking a good close look at their own...

Only that data?

[mmThe1]

Notice the irony:

"The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security."

Are we sure it's only the personal data that was compromised? One would be more worried about what *else* was uncovered by whoever-did-this.

"Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed."

Or is it the case that break-in was *detected* only in one of the buildings? They had to smash windows of the administrative building, to get the keys of the others?

Re:Only that data?

[demachina]

It should be noted that SAIC is the same company who just cratered on the FBI's new Virtual Case File software contract. The one that cost us $170 million dollars and is probably going to be thrown out and replaced with COTS software(which will probably cost millions more). SAIC is one of the elite cadre of companies that specialize in using political influence to land huge government contracts worth billions that they often never deliver anything worth a plugged nickel for. Some other big names CSC, EDS, Lockheed, Boeing, Hallibiburton/KBR, Bechtel....

Virtual Case File was actually only 1/3 of a larger contract called Trilogy to modernize the FBI's computer systems. In total its a $600 million dollar project and it kind of sounds like the 2/3rds of it CSC is doing isn't going a lot better.

I'm wagering this is just one of many case studies in the U.S. government squandering money in knee jerk reactions after 9/11 that were awarded before any actual thought had been put in to them. The contractors all make out like bandits though. Remember that when you see the $300-$400 billion budget deficits and the slash and burning of domestic spending to pay for "homeland security". Its open to debate if any of the billions that hve been spent on "homeland security" have actually made the homeland more secure.

About Time

[Lord+Kano]

'some of the nation's most influential former military and intelligence officials.'

Maybe this is just the thing we need to make people get serious about privacy.

LK

Blame unsecured Windows!

[Reignking]

He said the successful theft of personal data, by thieves who smashed windows to gain access

It looks like Microsoft will be blamed again!

Not me.

[Baldrson]

I was running the software department for automated ordnance inspection systems around 15 years ago and and I've received no notice. Melvin Laird and Bobby Inman were among the SAIC employees at that time IIRC and I'll be they were notified.

Re:You're fired!

[georgewilliamherbert]

This was not a network intrusion, the article makes it clear that there was a physical breakin of the building, and that whole computers were stolen.

About Social Security numbers

[John+Seminal]

I am suprised how many people give out their SSN# to anyone who seems legitimate and asks. I never give them out, and you should not either. There is only one reason by law a company can have your SSN#, and that is for paying taxes. If your relationship with the organization does not include paying taxes, then refuse to give them your SSN#. If they deny services, you can sue, it is illegal for them to force you to give them your SSN#. This goes for colleges too, you don't have to give them your SSN#, and they will have to give you a different ID.

Re:About Social Security numbers

[Ratcrow]

I thought so too, until I once got bored and asked a Radio Shack drone about the SSN requirement for obtaining a cell phone through them.

He said that the rationale was as follows:

If you want to enter into a contract with Radio Shack (or whomever they are reselling service for), then you must provide a SSN.

Since it is a contract, they won't enter into it unless you provide your SSN. Thus, it is not illegal for them to deny you services, and you cannot compel them through the courts to enter into a contract. They'll just tell you to go to their competitor, who will require the same exact thing.

The biggest problem is that the SSN is considered "secret" anymore. It is not, and it should not be used as though it were.

Re:About Social Security numbers

[stewby18]

There is only one reason by law a company can have your SSN#, and that is for paying taxes. If your relationship with the organization does not include paying taxes, then refuse to give them your SSN#. If they deny services, you can sue, it is illegal for them to force you to give them your SSN#.

Could you give some sources? I don't believe that your statement is generally true. It's true that there are only a few cases where you are required by law to give out your SSN (the N stands for Number, by the way--a SSN# is like an ATM Machine). However, that doesn't necessarily mean that it's illegal for other companies to ask for your SSN, or refuse you service if you don't give it out. All the sources I can find (this one for example) say that in most cases the most you can do is take your business elsewhere. Some states have laws preventing refusal of service in specific cases (such as utilities), but in general you have no recourse but to complain and/or go elsewhere.

Before people take your advice and start threatening to sue everyone for violating a law, they should make sure the law actually exists where they are and applies to their situation--otherwise they'll just end up looking looking silly. Besides, it's always much more effective to be able to quote a specific law a company is breaking instead of just making vague claims of illegality.

Not identity theft

[cookiepus]

This is not identity theft (yet, anyway)... Stealing people's private data is a breach of security, but it doesn't become identity theft until that data is used in a fraudulent way.

Someone downthread asked how you can protect yourself... You can't protect your data on someone's system from being stolen, but you can make sure that no one is using your data. Keep track of your credit card bills and reiew your credit report (you can get those for free if you try) and you should be OK.

The difference is between someone looking into your apartment with binoculars when you change, and someone raping you.

Re:Ouch ...

[rah1420]

Maybe it is time the Government tossed some heavy regulation out to require better e-security.

Maybe if you RTFA you would realize that e-security had nothing to do with it.

These computers were physically stolen. e-security would not have done a damn thing. physical security was, and is, the most fundamental thing that can be implemented.

This was possible due to sloppy administration.

My Mother is one of the employees on the list. She told me that all of that sensitive info was stored on a laptop. Knowing that much, it's highly unlikely that the data was encrypted. Even a newbie system administrator should know that such data should be on a server that is in a locked, climate controlled room with no windows. SAIC is lucky that their stock is not controlled by the market, cause this sure casts doubt on their competence in computer security.

Sorry guys! Its not that hard!

[rejecting]

It seems that some of you are living under the delusion that it would be hard to run away with this kind of info. As a Financial Aid Advisor at a university i can tell you that with my database access, a database access that you can recieve with an 6 doller an hour work study position, you could run away with more than 50,000 ssn, phone numbers, all the information posted on the FAFSA (which is pretty much a rehash of your tax return) I think screaming, WHY DIDN'T THEY HAVE THE SAFEGUARDS IN PLACE, is being pedantic. noone is doing anything to keep your info safe. I'm sorry.

Encrypted data?

[Stephen+Samuel]

The people who talked to the press didn't know if the data had been encrypted. At a quick guess, I'd say that if someone could say that it was encrypted that info would have been passed on to the PR geeks, so I'm betting 75/25 that the data was cleartext.

Re:Encrypted data?

[CptNerd]

Besides, if it had been encrypted, when they stole the computers they would have stolen the sticky notes that had the passphrases anyway...

Re:Please can someone explain to me ...

[HeghmoH]

Surely they can't be a security-by-obscurity magic code that is used both as an identifier and as a password, so that possession of this single piece of information permits identity theft?

Of course they can! It's stupid, but there you have it.

Re:being reasonable about sensitive data.

[Nefarious+Wheel]

Yes. My current contract is in a major Australian bank, where the SOE is locked down to buggery. Users can't even see their C: drive. It's there to hold software, not data, and a lot of cluey full-timers are employed to keep it that way.

The way to change a corporate computing environment is to control the default options. Whatever's easier is what people will tend to use. Whatever's easiest to support will be made the most convenient option for users. Want control? Stay on the server side...

Had this happen at the last company I worked for

[raider_red]

My last employer's payroll contractor suffered a break-in similer to this. It appears to have been an inside job, since whoever did it managed to bypass three locked doors, a security system, and two armed guards on the building's only entrance. It appeared that they were only after the hardware, but it was treated as ID theft because of the nature of the data it contained.

We were advised to put fraud alerts in with the credit reporting agencies, get copies of our reports, and then do it again in three months. No one ever used my ID information, but I'm still getting a credit report regularly just because there might be a copy floating around.

My SAIC Experience

[Slavinski]

Having worked for them, I have to say I have already received a letter but if anything happens, I am holding them liable to maintaining the security of my personal information for any loss. If they aren't in the position to hold it securely and with respect then they should expect some grumbling for present and past employees.

I won't touch on my experience while working for them. I find the whole ownership thing to be overrated but that's me.

I feel so used

[DrTime]

I used to work for SAIC and I have to hear about this on /. almost 3 weeks after the fact. I've already googled what I need to do. I was disappointed with SAIC as a company, but they were reasonably generous back when I worked for them. Oh well.

This sucks!

[JoeKramer]

As a SAIC employee this just blows. I had to put a ID theft warning on my credit. This story took a long to come out! This took place weeks ago and we where warned about this over 2 weeks ago! hehe

another PISSED employee owner

i've been with SAIC for 4 years now, started off good but now it pretty much sucks. This is the icing on the cake.. i'll wager NO ONE gets fired over this (the CFO and/or CTO should resign). There's not much accountability at SAIC, dumb people just get promoted. I'll be leaving soon, F'em.. and if i get ID theft becuase of this i'll be lining up to sue those stupid f%$k's.