Identity Theft of Many SAIC Employees

Rick Zeman writes "In the wake of the Geoge Mason University identity theft comes another: SAIC, an employee-owned company, has had a break-in which '...netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.' These employees include anyone who's owned SAIC stock, and since it's an employee-owned company, that's most of them, including 'some of the nation's most influential former military and intelligence officials.'"

SAIC & tired of criminals

[dotslashdot]

I am getting SAIC of these criminals who steal identities and of the companies that help them. For our SAIC, companies who have such personal information & fail to secure it should be sued. I realize that is SAICriligious, but I don't care any more. Finding these criminals will be like looking for a needle in the haySAIC.

Ah, hell. What now?

[Ledneh]

One of my parents may have had their identity stolen in this incident. I sure hope not, but in any case... what now? What can be done to prevent the stolen numbers from being used illegitimately?

Re:Ah, hell. What now?

[Kalewa]

With the usual IANAL disclaimer I'd say notify any credit agencies you deal with about the possible theft of your identity. Do it in writing and make sure you've got records of it.

If someone actually does try to steal their identity, you've got written proof that you alerted them to possible fraud beforehand, and that should make it easier to avoid any responsibility they may try to pin on you.

Re:Ah, hell. What now?

From a Canadian perspective...

Having had my identity stolen (social insurance number, etc.), the first thing to do is to contact one of the credit agencies. In Canada you need to contact Equifax and Transunion. (I believe that Equifax also operates in the US; don't get me started about the PATRIOT Act ramifications for Canadians because of this) They will flag your account so that any company that receives a request for new credit cards, etc. must phone you for confirmation.

Next, file a report with Phonebusters. They will add your info to a database (and nothing else... they do NOT investigate anything). File the same report with the RCMP's Report Economic Crimes OnLine. The RECOL file is more likely to be acted on since it will actually appear on some officer's desk, but don't count on it. Next, file an identical report with your local police. My experience with local cops is that they don't give a shit and in some cases will refuse to take a statement; force them to take your statement because it's essential to the next step and it is your right to do so. Get a copy of this report (one officer refused to give it to me; again, it's your right to have it. In the worst case you'll need to write to the police archive department for it) and head down to your local HRDC branch to get yourself a new Social Insurance Number. You need to bring a copy of the local police report with you. After that comes the fun part about updating your social insurance number with your bank, employer, credit bureau, etc.

Also, if any company phones you to verify whether you've made an online purchase (that you didn't make), play dumb and get as much info about the delivery location as possible before confirming that it was a fraudulant purchase. Dell's fraud department refused to give me this information after I confirmed that such a fraudulant transaction had been made, citing issues of "privacy". The police refuse to do anything because the fraud wasn't valuable enough. Don't assume for a minute that the cops or businesses involved are going to help you out... you will need to gather as much information about the scammer as possible in order to protect yourself from future scams.

Why is this data not someplace safe?

[Fish+Heads]

So am I crazy, or shoudl these desktop machines not even be HOLDING this kind of data? Sensitive information (all business-related data in my opinion) belongs on the server, not on individual machiens. The server belongs in a secured, protected space. You should be able to lose all of your "personal" computers and only have the inconvenience of setting up new computers for those users. I would say that loss is the fault of poor IT practices.

Re:Why is this data not someplace safe?

[georgewilliamherbert]

So am I crazy, or shoudl these desktop machines not even be HOLDING this kind of data? Sensitive information (all business-related data in my opinion) belongs on the server, not on individual machiens. The server belongs in a secured, protected space. You should be able to lose all of your "personal" computers and only have the inconvenience of setting up new computers for those users. I would say that loss is the fault of poor IT practices.

You aren't crazy.

You're stretching a bit far... all business-related data covers everything on any computer in the company, and it's not reasonable to expect that there's never any local copy of data on any system in the company. Especially with mobile users, but also for network performance / employee usability reasons.

But key sensitive data, which does include employee files and shareholder identity info as well as key business sensitive data, should be kept on servers which are physically secure, because systems do walk away from offices.

There is a huge gap between IT typical practice and IT best practice in this area, though. Most businesses don't have nearly enough physical security for the servers, or for physical records (how many just have a toy lock on a filing cabinet with employee data?...).

Depending on your definition of neglegence, this either clearly wasn't (wasn't any worse than typical businesses) or could have been (a known risk which best practices clearly say not to do).

Article

[prurientknave]

Break-In At SAIC Risks ID Theft Computers Held Personal Data on Employee-Owners
By Griff Witte
Washington Post Staff Writer
Saturday, February 12, 2005; Page E01


Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.

The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security. It has a reputation for hiring Washington's most powerful figures when they leave the government, and its payroll has been studded with former secretaries of defense, CIA directors and White House counterterrorism advisers.

Those former officials -- along with the rest of a 45,000-person workforce in which a significant percentage of employees hold government security clearances -- were informed last week that their private information may have been breached and they need to take steps to protect themselves from fraud.

David Kay, who was chief weapons inspector in Iraq after nearly a decade as an executive at SAIC, said he has devoted more than a dozen hours to shutting down accounts and safeguarding his finances. He said the successful theft of personal data, by thieves who smashed windows to gain access, does not speak well of a company that is devoted to keeping the government's secrets secure.

"I just find it unexplainable how anyone could be so casual with such vital information. It's not like we're just now learning that identity theft is a problem," said Kay, who lives in Northern Virginia.

About 16,000 SAIC employees work in the Washington area.

Bobby Ray Inman, former deputy director of the CIA and a former director at SAIC, agreed. "It's worrisome," said Inman, who also received notification of the theft last week. "If the security is sloppy, it raises questions."

Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed. Haddad said the company does not know whether the thieves targeted specific computers containing employee information or if they were simply after hardware to sell for cash. In either case, the company is taking no chances.

"We're taking this extremely seriously," Haddad said. "It's certainly not something that would reflect well on any company, let alone a company that's involved in information security. But what can I say? We're doing everything we can to get to the bottom of it."

Gary Hassen of the San Diego Police Department said there were "no leads."

Haddad said surveillance cameras are in the building where the theft took place, but he did not know whether they caught the perpetrators on tape. He also did not know whether the information that was on the pilfered computers had been encrypted.

The stolen information included names, Social Security numbers, addresses, telephone numbers and records of financial transactions. It was stored in a database of past and present SAIC stockholders. SAIC is one of the nation's largest employee-owned companies, with workers each receiving the option to buy SAIC stock through an internal brokerage division known as Bull Inc.

Haddad said the company has been trying through letters and e-mails to get in touch with everyone who has held company stock within the past decade, though he acknowledged that hasn't been easy since many have since left the company.

He said the company would take steps to ensure stockholder information is better protected in the future, but he declined to be specific.

The theft comes at a time when the company, which depends on the federal government for more

SAIC

[ArmenTanzarian]

The company has actually been very responsive to this. They sent out a mass email immediately and created a site of what happened and what to do on the company intranet two days later. They have issued updates, police reports, etc. nearly every day since.

I've occaisionally had issue with the company's size keeping it from being responsive, but this is one thing that got picked up very quickly.

insider job?

[tuxette]

"...the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed.

They better start taking a good close look at their own...

Only that data?

[mmThe1]

Notice the irony:

"The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security."

Are we sure it's only the personal data that was compromised? One would be more worried about what *else* was uncovered by whoever-did-this.

"Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed."

Or is it the case that break-in was *detected* only in one of the buildings? They had to smash windows of the administrative building, to get the keys of the others?

Re:Only that data?

[demachina]

It should be noted that SAIC is the same company who just cratered on the FBI's new Virtual Case File software contract. The one that cost us $170 million dollars and is probably going to be thrown out and replaced with COTS software(which will probably cost millions more). SAIC is one of the elite cadre of companies that specialize in using political influence to land huge government contracts worth billions that they often never deliver anything worth a plugged nickel for. Some other big names CSC, EDS, Lockheed, Boeing, Hallibiburton/KBR, Bechtel....

Virtual Case File was actually only 1/3 of a larger contract called Trilogy to modernize the FBI's computer systems. In total its a $600 million dollar project and it kind of sounds like the 2/3rds of it CSC is doing isn't going a lot better.

I'm wagering this is just one of many case studies in the U.S. government squandering money in knee jerk reactions after 9/11 that were awarded before any actual thought had been put in to them. The contractors all make out like bandits though. Remember that when you see the $300-$400 billion budget deficits and the slash and burning of domestic spending to pay for "homeland security". Its open to debate if any of the billions that hve been spent on "homeland security" have actually made the homeland more secure.

Not identity theft

[cookiepus]

This is not identity theft (yet, anyway)... Stealing people's private data is a breach of security, but it doesn't become identity theft until that data is used in a fraudulent way.

Someone downthread asked how you can protect yourself... You can't protect your data on someone's system from being stolen, but you can make sure that no one is using your data. Keep track of your credit card bills and reiew your credit report (you can get those for free if you try) and you should be OK.

The difference is between someone looking into your apartment with binoculars when you change, and someone raping you.

Re:Ouch ...

[rah1420]

Maybe it is time the Government tossed some heavy regulation out to require better e-security.

Maybe if you RTFA you would realize that e-security had nothing to do with it.

These computers were physically stolen. e-security would not have done a damn thing. physical security was, and is, the most fundamental thing that can be implemented.

Re:Please can someone explain to me ...

[HeghmoH]

Surely they can't be a security-by-obscurity magic code that is used both as an identifier and as a password, so that possession of this single piece of information permits identity theft?

Of course they can! It's stupid, but there you have it.

My SAIC Experience

[Slavinski]

Having worked for them, I have to say I have already received a letter but if anything happens, I am holding them liable to maintaining the security of my personal information for any loss. If they aren't in the position to hold it securely and with respect then they should expect some grumbling for present and past employees.

I won't touch on my experience while working for them. I find the whole ownership thing to be overrated but that's me.