Sunday, February 13, 2005

SAIC Break-in Serious Security Issue

SAIC is a huge government contractor out here and is involved in some of the more sensitive areas of classified information. They recently reported that a break-in had occured in one of their San Diego offices where thieves made off with computer equipment housing the personal data of some or all of the 45,000 member workforce even obliquely managed by that office. That list contains a huge number of people with government clearances at all levels of classification and those people have been advised that they need to "take precautions" as a result of the theft.

:::::::: Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.

The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security. It has a reputation for hiring Washington's most powerful figures when they leave the government, and its payroll has been studded with former secretaries of defense, CIA directors and White House counterterrorism advisers.

Well, that's just great. A firm that claims such expertise in security should never have allowed this data to be housed anywhere near an "administration" building that didn't have full classified-level security measures in place. SAIC's spokeman, Ben Haddad, said:

::::::::"We're taking this extremely seriously," Haddad said. "It's certainly not something that would reflect well on any company, let alone a company that's involved in information security. But what can I say? We're doing everything we can to get to the bottom of it."::::::::

He also said they weren't sure if the thieves specifically targeted those computers - which would indicate the data was the real goal - or if they just snagged something to sell for quick cash. Immaterial. Even if it's the latter, just who do you think they're going to sell the gear to? Some all-night pawn shop? Whoever buys that equipment is going to damn sure be able to see what's on it. San Diego PD flatly says there are no leads in the case.

Oh, and did I mention that the database all this stuff is in is a collection of information about past and present stock shareholders? SAIC is employee-owned, so every employee's data is in there. Of course, there's plenty of data in there from non-employees who just so happened to have had stock in the company. Nice return on the investment, eh? In case you're thinking the name SAIC is familiar, you've seen it in the news lately. Their San Antonio division is under investigation for allegedly padding cost estimates on an Air Force contract. More recently, they're the company that has been responsible for creating the FBI's Virtual Case File that has been rather widely denounced as a $170 million failure.

SAIC's head doesn't appear to be in "the game" of security lately, and that's a serious matter for concern.