Identity Theft of Many SAIC Employees 208
Rick Zeman writes "In the wake of the Geoge Mason University identity theft comes another: SAIC, an employee-owned company, has had a break-in which '...netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.' These employees include anyone who's owned SAIC stock, and since it's an employee-owned company, that's most of them, including 'some of the nation's most influential former military and intelligence officials.'"
Ouch ... (Score:1, Flamebait)
Re:Ouch ... (Score:5, Informative)
Maybe if you RTFA you would realize that e-security had nothing to do with it.
These computers were physically stolen. e-security would not have done a damn thing. physical security was, and is, the most fundamental thing that can be implemented.
Encrypted data? (Score:4, Interesting)
Re:Encrypted data? (Score:3, Funny)
Besides, if it had been encrypted, when they stole the computers they would have stolen the sticky notes that had the passphrases anyway...
SAIC & tired of criminals (Score:5, Funny)
Ah, hell. What now? (Score:5, Insightful)
Re:Ah, hell. What now? (Score:4, Funny)
Nothing. It's a stupid system, but it's all we've got. Your SSN is a secret password that holds the key to your credit and identity, but thousands of people already know it. Sleep tight.
Re:Ah, hell. What now? (Score:3, Insightful)
Re:Ah, hell. What now? (Score:5, Informative)
If someone actually does try to steal their identity, you've got written proof that you alerted them to possible fraud beforehand, and that should make it easier to avoid any responsibility they may try to pin on you.
Re:Ah, hell. What now? (Score:2)
With the usual IANAL disclaimer I'd say notify any credit agencies you deal with about the possible theft of your identity. Do it in writing and make sure you've got records of it.
I'd say the first step is to use the automated fraud alert system from any of the big three agencies to put an alert in your record and automatically notify the other agencies. They should send a confirmation in the mail. If you don't get it, then follow up in writing. Using the automated system is going to save a lot of tim
Re:Ah, hell. What now? (Score:4, Informative)
From a Canadian perspective...
Having had my identity stolen (social insurance number, etc.), the first thing to do is to contact one of the credit agencies. In Canada you need to contact Equifax [equifax.ca] and Transunion [transunion.com]. (I believe that Equifax also operates in the US; don't get me started about the PATRIOT Act ramifications for Canadians because of this) They will flag your account so that any company that receives a request for new credit cards, etc. must phone you for confirmation.
Next, file a report with Phonebusters [phonebusters.ca]. They will add your info to a database (and nothing else... they do NOT investigate anything). File the same report with the RCMP's Report Economic Crimes OnLine [recol.ca]. The RECOL file is more likely to be acted on since it will actually appear on some officer's desk, but don't count on it. Next, file an identical report with your local police. My experience with local cops is that they don't give a shit and in some cases will refuse to take a statement; force them to take your statement because it's essential to the next step and it is your right to do so. Get a copy of this report (one officer refused to give it to me; again, it's your right to have it. In the worst case you'll need to write to the police archive department for it) and head down to your local HRDC [hrdc.gc.ca] branch to get yourself a new Social Insurance Number. You need to bring a copy of the local police report with you. After that comes the fun part about updating your social insurance number with your bank, employer, credit bureau, etc.
Also, if any company phones you to verify whether you've made an online purchase (that you didn't make), play dumb and get as much info about the delivery location as possible before confirming that it was a fraudulant purchase. Dell's fraud department refused to give me this information after I confirmed that such a fraudulant transaction had been made, citing issues of "privacy". The police refuse to do anything because the fraud wasn't valuable enough. Don't assume for a minute that the cops or businesses involved are going to help you out... you will need to gather as much information about the scammer as possible in order to protect yourself from future scams.
Re:Ah, hell. What now? (Score:2)
Re:Ah, hell. What now? (Score:2)
As someone who has had his identity stolen (Score:2)
Here is what they can do to minimize their pain:
thief (Score:2, Informative)
Why is this data not someplace safe? (Score:4, Insightful)
Re:Why is this data not someplace safe? (Score:2)
Re:Why is this data not someplace safe? (Score:5, Insightful)
You're stretching a bit far... all business-related data covers everything on any computer in the company, and it's not reasonable to expect that there's never any local copy of data on any system in the company. Especially with mobile users, but also for network performance / employee usability reasons.
But key sensitive data, which does include employee files and shareholder identity info as well as key business sensitive data, should be kept on servers which are physically secure, because systems do walk away from offices.
There is a huge gap between IT typical practice and IT best practice in this area, though. Most businesses don't have nearly enough physical security for the servers, or for physical records (how many just have a toy lock on a filing cabinet with employee data?...).
Depending on your definition of neglegence, this either clearly wasn't (wasn't any worse than typical businesses) or could have been (a known risk which best practices clearly say not to do).
Re:Why is this data not someplace safe? (Score:3, Insightful)
This is a company that regularly does high-security work, and hires people like former CIA directors. They work with sensitive and secret data on a regular basis.
There is no defence of ignorance here. People who regularly handle secret (and above) data did a bad job of protecting sensitive data. I'd say that this
Re:Why is this data not someplace safe? (Score:3, Insightful)
Not necessarily. Think of it this way. What exactly is the penalty for doing a bad job of protecting personal data? Versus secret and above data?
Re:Why is this data not someplace safe? (Score:2)
From what I've heard, the break-in took place in a building that did have a fair amount of security associated with it. My guess is that SAIC will be considerably more paranoid with the data after this incident - especially in regards to physical security. The corporate culture is pretty much like a start-up, with a l
Re:being reasonable about sensitive data. (Score:3, Informative)
The way to change a corporate computing environment is to control the default options. Whatever's easier is what people will tend to use. Whatever's easiest to support will be made the most convenient option for users. Want control? Stay on the server side...
Okay, I get part of it, but am still confused... (Score:2)
I get the part about not having sensitive information on individual machines. But the server has to give out data to these machines for normal buisness. If I am in billing, I will need some of the customer data from the server. What is to stop someone from just sniffing the data?
Having worked at a few companies, I know employees will find ways to get around this. I knew one place that did k
Re:Okay, I get part of it, but am still confused.. (Score:2)
Or did htey just have a copious number of users (all of which did frequent queries)?
Re:Okay, I get part of it, but am still confused.. (Score:2)
Nobody ever gets to see the server. The database is Oracle, and it is located somewhere off site. When it does not work, we have a phone number we call for tech support. We leave a message, and if we are lucky someone will call back within an hour. The web interface to the database is proprietary, and is serviced by a consulting company. The tech guys I talked with were all smart, but most of the time the anwser was the same th
Re:Okay, I get part of it, but am still confused.. (Score:2)
Re:Okay, I get part of it, but am still confused.. (Score:2)
The problem is the database is just too big for all the data. There must be over a million customers in the database, and most of those customers in the database have nothing to do with my region.
Sounds like a partitioned key and some judicious where clauses would help a lot.
Re:Why is this data not someplace safe? (Score:2, Interesting)
It's because it grows.
"W
Re:Why is this data not someplace safe? (Score:2)
This particular episode is a special case of a general problem. Every place I've ever worked, I've seen problems with people keeping data on their workstations that should be on servers. This happened even at place with strict policies against using workstation storage for anything except basic software. People will always get around the rules, because it's easier (though not saf
Re:Why is this data not someplace safe? (Score:2)
Be warned that trying to set such practices straight is the best way to instantly blacken your yearly review - especially if your boss isn't interested in having his name
Re:Why is this data not someplace safe? (Score:2)
Frequently database designers key off of SSN, because it is an easy, pre-existing unique ID for a person.
Of course, the problem here is that SSNs arent unique unless you also add a birthdate, which most people don't do. I'd probably use a sequence number for enumerating peoples' db records.
Article (Score:5, Informative)
By Griff Witte
Washington Post Staff Writer
Saturday, February 12, 2005; Page E01
Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.
The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security. It has a reputation for hiring Washington's most powerful figures when they leave the government, and its payroll has been studded with former secretaries of defense, CIA directors and White House counterterrorism advisers.
Those former officials -- along with the rest of a 45,000-person workforce in which a significant percentage of employees hold government security clearances -- were informed last week that their private information may have been breached and they need to take steps to protect themselves from fraud.
David Kay, who was chief weapons inspector in Iraq after nearly a decade as an executive at SAIC, said he has devoted more than a dozen hours to shutting down accounts and safeguarding his finances. He said the successful theft of personal data, by thieves who smashed windows to gain access, does not speak well of a company that is devoted to keeping the government's secrets secure.
"I just find it unexplainable how anyone could be so casual with such vital information. It's not like we're just now learning that identity theft is a problem," said Kay, who lives in Northern Virginia.
About 16,000 SAIC employees work in the Washington area.
Bobby Ray Inman, former deputy director of the CIA and a former director at SAIC, agreed. "It's worrisome," said Inman, who also received notification of the theft last week. "If the security is sloppy, it raises questions."
Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed. Haddad said the company does not know whether the thieves targeted specific computers containing employee information or if they were simply after hardware to sell for cash. In either case, the company is taking no chances.
"We're taking this extremely seriously," Haddad said. "It's certainly not something that would reflect well on any company, let alone a company that's involved in information security. But what can I say? We're doing everything we can to get to the bottom of it."
Gary Hassen of the San Diego Police Department said there were "no leads."
Haddad said surveillance cameras are in the building where the theft took place, but he did not know whether they caught the perpetrators on tape. He also did not know whether the information that was on the pilfered computers had been encrypted.
The stolen information included names, Social Security numbers, addresses, telephone numbers and records of financial transactions. It was stored in a database of past and present SAIC stockholders. SAIC is one of the nation's largest employee-owned companies, with workers each receiving the option to buy SAIC stock through an internal brokerage division known as Bull Inc.
Haddad said the company has been trying through letters and e-mails to get in touch with everyone who has held company stock within the past decade, though he acknowledged that hasn't been easy since many have since left the company.
He said the company would take steps to ensure stockholder information is better protected in the future, but he declined to be specific.
The theft comes at a time when the company, which depends on the federal government for more
SAIC (Score:5, Informative)
I've occaisionally had issue with the company's size keeping it from being responsive, but this is one thing that got picked up very quickly.
Not me. (Score:3, Informative)
Re:Not me. (Score:2)
Re:SAIC (Score:2)
Re:SAIC (Score:2)
insider job? (Score:5, Insightful)
They better start taking a good close look at their own...
Re:insider job? (Score:2)
Re:insider job? (Score:2)
Re:insider job? (Score:2)
If I were carrying out an insider job, I would do what I could to distract from that fact. Including smashing windows to make it look like it were an outsider job.
Re:insider job? (Score:2)
You're fired! (Score:2, Interesting)
Re:You're fired! (Score:3, Informative)
Re:You're fired! (Score:2)
Re:You're fired! (Score:2)
No, it's not the same thing. It's a completely different thing, which has the same end effect.
This is not just a pedantic argument. Physical Security has a lot of aspects far beyond IT practices (physical files security, safety of employees, etc). While IT was involved since computers were taken, t
Re:You're fired! (Score:2)
Only that data? (Score:5, Insightful)
"The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security."
Are we sure it's only the personal data that was compromised? One would be more worried about what *else* was uncovered by whoever-did-this.
"Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed."
Or is it the case that break-in was *detected* only in one of the buildings? They had to smash windows of the administrative building, to get the keys of the others?
Re:Only that data? (Score:5, Interesting)
Virtual Case File was actually only 1/3 of a larger contract called Trilogy to modernize the FBI's computer systems. In total its a $600 million dollar project and it kind of sounds like the 2/3rds of it CSC is doing isn't going a lot better.
I'm wagering this is just one of many case studies in the U.S. government squandering money in knee jerk reactions after 9/11 that were awarded before any actual thought had been put in to them. The contractors all make out like bandits though. Remember that when you see the $300-$400 billion budget deficits and the slash and burning of domestic spending to pay for "homeland security". Its open to debate if any of the billions that hve been spent on "homeland security" have actually made the homeland more secure.
Re:Only that data? (Score:2)
I can see how it might have impacted Virtual Case Files but not sure it should have. Things like the names of top secret agents in the U.S.S.R shouldn't have been on computers in the first place. I'm kind of the
Re:Only that data? (Score:2)
That is the way most of government contractors drain money out of the pockets of tax payers isn't it. They get a percentage of each hour billed don't they so more people billing more hours means more profit, so they have an incentive to overestimate and overstaff.
"I am working on a similar project"
Wouldn't it being amazing if the government developed one good, standard system for managing documents and used it all its agencies, instead of squandering hundreds of million
Since I know that you're really concerned and all (Score:2)
I did some work for another big defense contractor [bah.com] a while back, and I can tell you that it is extremely unlikely that any sensitive classified data was compromised. Obiously nothing is impossible, but there are many precautions taken with classefied materials.
For instance, at Booz Allen, it would not have been too difficult to walk off with an unclass computer or tw
About Time (Score:3, Insightful)
Maybe this is just the thing we need to make people get serious about privacy.
LK
Blame unsecured Windows! (Score:3, Funny)
It looks like Microsoft will be blamed again!
Plus, look at the person doing the hacking... (Score:2)
Re:Plus, look at the person doing the hacking... (Score:2)
Compainies are responsible for protecting the data they collect. If they can't properly protect it, then they shouldn't have it- period.
I don't want to have to pay an extra 10% for my car so Ford can pay network security people outrageous salaries to protect my costumer information.
Outrageous and completely uneducated assumption. A decently trained and competant IT staff may cost more, but that is simply a cost of doing business in todays worl
Re:Plus, look at the person doing the hacking... (Score:2)
The fire department does not go around setting fires, so they can have more buisness. Heart surgeons are not the ones selling Big Macs. But with computers, it is the same network security people who cause the problems. How many people learn about security by sniffing around, doing war driving, hacking into websites and computers, then afte
Re:Plus, look at the person doing the hacking... (Score:2)
But with computers, it is the same network security people who cause the problems. How many people learn about security by sniffing around, doing war driving, hacking into websites and computers, then after they learn enough, they go looking for a job? That is why states have to regulate computer and network security professionals.
They all look the same to you, don't they? The people who crack networks these days are doing it for their own reasons, not as job training. Those of us who do computer securit
Re:Plus, look at the person doing the hacking... (Score:2)
When will people understand that licensing and certifying people says nothing about whether said individuals will choose to behave in a responsible manner? All a certification process can do is provide evidence of minimal technical competence in a given field (and not even that, necessarily.) We simply
Re:Plus, look at the person doing the hacking... (Score:2)
Government disagrees with you, and when they catch these people they go to jail. Some go to jail for years. I think the penalties should be even harsher. Government must make a few examples of people, just like you. Then less people will be inclined to do this kind of stuff.
Re:Plus, look at the person doing the hacking... (Score:2)
Here is the problem I have with your statement. Technology always changes. What was secure yesterday may not be tomorrow.
If this was pre-computer times, it would be like keeping the accounting books on the desk of an employee, while the employee was out to lunch. Now how much security is enough? Having the books in a locke
About Social Security numbers (Score:3, Interesting)
Re:About Social Security numbers (Score:3, Informative)
He said that the rationale was as follows:
If you want to enter into a contract with Radio Shack (or whomever they are reselling service for), then you must provide a SSN.
Since it is a contract, they won't enter into it unless you provide your SSN. Thus, it is not illegal for them to deny you services, and you cannot compel them through the courts to enter into a contra
Re:About Social Security numbers (Score:2)
I did not have any trouble with my cell phone company. When I called to activate the phone, I told the person I did not want to give out my SSN. They did not make a big deal out of it.
But when I called to get cable in my apartment, the cable company made a big stink out of it. I told them what they were asking was illegal, and that I would sue. I talked to two different people on the phone, and finally the guy told me I would have to make a copy of a bank statement if I did not want to give out
Re:About Social Security numbers (Score:2)
Re:About Social Security numbers (Score:2)
As has been said, the only people that need your SSN are people that need it for tax reporting reasons. In other words, this boils down to you and your employer (provided they do withholdings and such for you).
Anyone has that requests your SSN has no need of it other than to sell it to someone else.
Re:About Social Security numbers (Score:2)
It says:
If a business or other enterprise asks you for your SSN, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by
Re:About Social Security numbers (Score:4, Insightful)
There is only one reason by law a company can have your SSN#, and that is for paying taxes. If your relationship with the organization does not include paying taxes, then refuse to give them your SSN#. If they deny services, you can sue, it is illegal for them to force you to give them your SSN#.
Could you give some sources? I don't believe that your statement is generally true. It's true that there are only a few cases where you are required by law to give out your SSN (the N stands for Number, by the way--a SSN# is like an ATM Machine). However, that doesn't necessarily mean that it's illegal for other companies to ask for your SSN, or refuse you service if you don't give it out. All the sources I can find (this one for example [privacyrights.org]) say that in most cases the most you can do is take your business elsewhere. Some states have laws preventing refusal of service in specific cases (such as utilities), but in general you have no recourse but to complain and/or go elsewhere.
Before people take your advice and start threatening to sue everyone for violating a law, they should make sure the law actually exists where they are and applies to their situation--otherwise they'll just end up looking looking silly. Besides, it's always much more effective to be able to quote a specific law a company is breaking instead of just making vague claims of illegality.
Re:About Social Security numbers (Score:2)
Let your fingers do the walking: http://ssa-custhelp.ssa.gov/cgi-bin/ssa.cfg/php/e n duser/std_adp.php?p_faqid=78 [ssa.gov]
If a business or other enterprise asks you for your SSN, you can refuse to give it. However, that may mean doing without the purchase or service for which your
Stock transactions are reported to the IRS (Score:2)
What's the real teeth grinder on this one is that ma
Re:About Social Security numbers (Score:2)
I just gave them a number that was slightly different than my actual number. Seemed like a good idea at the time.
In general, that's a terrible idea. You never want to risk confusing your credit record/account history/whatever with someone else's who actually has that number. Probably not a big risk at Blockbuster, but a very bad thing to get in the habit of doing.
A much better approach would be either to refuse to give it outright, or use one that is known to be invalid: either start with a number o
Not identity theft (Score:5, Informative)
Someone downthread asked how you can protect yourself... You can't protect your data on someone's system from being stolen, but you can make sure that no one is using your data. Keep track of your credit card bills and reiew your credit report (you can get those for free if you try) and you should be OK.
The difference is between someone looking into your apartment with binoculars when you change, and someone raping you.
Re:Not identity theft (Score:2)
This was possible due to sloppy administration. (Score:2, Interesting)
Please can someone explain to me ... (Score:2)
Surely they can't be a security-by-obscurity magic code that is used both as an identifier and as a password, so that possession of this single piece of information permits identity theft?
Assuming that it isn't, why do people get so worked up about it?
(And if it is, well, how daft is that ?!!*?!?**!!?)
Re:Please can someone explain to me ... (Score:2)
In the US a SSN is the passkey to a lot of information. Even though by law a person is not required to cough up his SSN to corporations (this may have been nullified with the Patriot Act) most companies that have databases on people use the SSN as an index. This is especially true of the major credit companies, which use a person's SSN as the primary key. With a SSN, you can pull someone's credit report and get their whole life.
Re:Please can someone explain to me ... (Score:5, Informative)
Of course they can! It's stupid, but there you have it.
I understand now... (Score:2)
Identity cards and identity numbers have been implemented successfully in many other countries. The trick, of course, is that everyone understands that the ID is not a secret, but just an identifier. It cannot be used to verify someone's identity by just producing the number. Once that is understood, that solves most so-called identity theft prob
Re:I understand now... (Score:2)
Personally, my objections to a national ID card have nothing to do with identity theft. Having a national ID system makes it likely that the national ID will be required for all sorts of inappropriate things. Will I have to show my national ID to mail a package, buy sports tickets with a credit card, book a train ride, vote, etc.? Once that happens, having a national ID card will be mandatory, whether explicitly or implicitly. Once having and showing an ID c
Re:I understand now... (Score:2)
Identity cards and identity numbers have been implemented successfully in many other countries. The trick, of course, is that everyone understands that the ID is not a secret, but just an identifier. It cannot be used to verify someone's identity by just producing the number.
Well, there are two problems I see: first, ID cards will be accepted as valid, so forged cards will be that much more useful. Second, whether you like it not, people will use the number as an identifier, and demand it all over, just
Re:Please can someone explain to me ... (Score:2)
So, if you have someone's name and their SSN, and a little knowledge, you can successfully use that name and SSN to open bank accounts, apply for credit, etc. In many instances, the legitimate owner of that name and SSN has legal difficulty avoiding responsibility for the crook's debts.
Worse, too many financial instirutions are far too lax regarding how they
Re:Please can someone explain to me ... (Score:2)
Sorry guys! Its not that hard! (Score:3, Interesting)
SAIC stock goes _way_ back... (Score:2)
Re:SAIC stock goes _way_ back... (Score:2)
One the key points of SAI stock was that you didn't have to sell it when you left the company.
That list in Poland... (Score:2)
With the potential to store terabytes in a desktop computer (and terabytes more on media), it's possible to transport the data of entire organizations, corporations, and governmments around. For large amounts of data, probably easier and a whole lot cheaper, too. Just
Had this happen at the last company I worked for (Score:3, Interesting)
We were advised to put fraud alerts in with the credit reporting agencies, get copies of our reports, and then do it again in three months. No one ever used my ID information, but I'm still getting a credit report regularly just because there might be a copy floating around.
My SAIC Experience (Score:4, Informative)
I won't touch on my experience while working for them. I find the whole ownership thing to be overrated but that's me.
I feel so used (Score:2, Insightful)
This sucks! (Score:2, Insightful)
another PISSED employee owner (Score:3, Interesting)
The First Rule of Security (Score:2)
Social Insecurity Number (Score:2)
At least in France we don't have such a universal identifier. Our "social security number" is used only for administrative purpose related to health.
Public Treasure, other administrations, banks and private companies have each their own numbers.
and SAIC does *what*...? (Score:2)
Don't y'all feel *so* secure?
ROTFLMAO!!!
mark
Re:Not Theft (Score:2)
However, identity theft COULD follow from this theft of personal information.
Also, identity theft does not deprive someone of their identity. It's used in most cases to commit fraud or buy stuff in someone else's name, and in some cases, to enable someone to try to bypass his criminal record and have a "normal life" identity.
That's all well and good... (Score:2)
Just goes to show that security policies need to be multi-faceted, not just concerned with firewalling from the internet. You need to look at physical access to machines, both from employees and potential intruders.
We co-lo in several data centres and all of them, without fail, have physical security that would put the american embassy in kabul or baghdad to shame
Re:I'd rather you hadn't helped publicize this... (Score:2)
One key thing pointed out in the article is how many SAICers they haven't been able to get in touch with. To me (I was the submitter), that meant that t
Re:I'd rather you hadn't helped publicize this... (Score:2)
Unfortunately...
The only way to get companies to take security seriously is to embarass them.
The only way to get companies to protect their consumers is to make it very dangerous economically for them to operate if the public is aware they have problems with security.
The only way to get government to crack down on criminals engaging in this activity is to get corporations very concerned about the economic implications of these breeches and therefore put (the most effective
Re:YES!!! (Score:2)
The parent has a point, though he expressed i rather poorly. The only way something is really going to get done with respect to privacy/identity theft is if it happens to - or affects - someone important. National Securiy wrt terrorism has always been important, but nothing major really happened until the Prisident's job was on the line d
Re:"Identity theft": worst...term...ever (Score:2)