Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy

Identity Theft of Many SAIC Employees 208

Rick Zeman writes "In the wake of the Geoge Mason University identity theft comes another: SAIC, an employee-owned company, has had a break-in which '...netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.' These employees include anyone who's owned SAIC stock, and since it's an employee-owned company, that's most of them, including 'some of the nation's most influential former military and intelligence officials.'"
This discussion has been archived. No new comments can be posted.

Identity Theft of Many SAIC Employees

Comments Filter:
  • Ouch ... (Score:1, Flamebait)

    by ggvaidya ( 747058 )
    All i can say is: pwned!
  • by dotslashdot ( 694478 ) on Sunday February 13, 2005 @02:50PM (#11661322)
    I am getting SAIC of these criminals who steal identities and of the companies that help them. For our SAIC, companies who have such personal information & fail to secure it should be sued. I realize that is SAICriligious, but I don't care any more. Finding these criminals will be like looking for a needle in the haySAIC.
  • by Ledneh ( 673693 ) <ledneh AT radix-lecti DOT net> on Sunday February 13, 2005 @02:50PM (#11661326) Homepage
    One of my parents may have had their identity stolen in this incident. I sure hope not, but in any case... what now? What can be done to prevent the stolen numbers from being used illegitimately?
    • by AKnightCowboy ( 608632 ) on Sunday February 13, 2005 @03:15PM (#11661522)
      One of my parents may have had their identity stolen in this incident. I sure hope not, but in any case... what now? What can be done to prevent the stolen numbers from being used illegitimately?

      Nothing. It's a stupid system, but it's all we've got. Your SSN is a secret password that holds the key to your credit and identity, but thousands of people already know it. Sleep tight.

      • Our system is totoally screwed up. On the one hand, we have no control about what data people collect about us - whoever collects it owns it, and we have no say. On the other hand, if that data is compromised and hurts us, now who is accountable? The owner of the data? No, the individual has to go to all the trouble and expense of cleaning up after the company's screwup.
    • by Kalewa ( 561267 ) on Sunday February 13, 2005 @03:24PM (#11661599)
      With the usual IANAL disclaimer I'd say notify any credit agencies you deal with about the possible theft of your identity. Do it in writing and make sure you've got records of it.

      If someone actually does try to steal their identity, you've got written proof that you alerted them to possible fraud beforehand, and that should make it easier to avoid any responsibility they may try to pin on you.

      • With the usual IANAL disclaimer I'd say notify any credit agencies you deal with about the possible theft of your identity. Do it in writing and make sure you've got records of it.

        I'd say the first step is to use the automated fraud alert system from any of the big three agencies to put an alert in your record and automatically notify the other agencies. They should send a confirmation in the mail. If you don't get it, then follow up in writing. Using the automated system is going to save a lot of tim

    • by Anonymous Coward on Sunday February 13, 2005 @04:05PM (#11661896)

      From a Canadian perspective...

      Having had my identity stolen (social insurance number, etc.), the first thing to do is to contact one of the credit agencies. In Canada you need to contact Equifax [equifax.ca] and Transunion [transunion.com]. (I believe that Equifax also operates in the US; don't get me started about the PATRIOT Act ramifications for Canadians because of this) They will flag your account so that any company that receives a request for new credit cards, etc. must phone you for confirmation.

      Next, file a report with Phonebusters [phonebusters.ca]. They will add your info to a database (and nothing else... they do NOT investigate anything). File the same report with the RCMP's Report Economic Crimes OnLine [recol.ca]. The RECOL file is more likely to be acted on since it will actually appear on some officer's desk, but don't count on it. Next, file an identical report with your local police. My experience with local cops is that they don't give a shit and in some cases will refuse to take a statement; force them to take your statement because it's essential to the next step and it is your right to do so. Get a copy of this report (one officer refused to give it to me; again, it's your right to have it. In the worst case you'll need to write to the police archive department for it) and head down to your local HRDC [hrdc.gc.ca] branch to get yourself a new Social Insurance Number. You need to bring a copy of the local police report with you. After that comes the fun part about updating your social insurance number with your bank, employer, credit bureau, etc.

      Also, if any company phones you to verify whether you've made an online purchase (that you didn't make), play dumb and get as much info about the delivery location as possible before confirming that it was a fraudulant purchase. Dell's fraud department refused to give me this information after I confirmed that such a fraudulant transaction had been made, citing issues of "privacy". The police refuse to do anything because the fraud wasn't valuable enough. Don't assume for a minute that the cops or businesses involved are going to help you out... you will need to gather as much information about the scammer as possible in order to protect yourself from future scams.

    • See if you can get the police report documenting the theft. Once you have that in hand, you can contact the major credit reporting agencies (Experian, etc) and have them put a hold or fraud-alert on your records. The result will be that anytime anyone applies for credit in your name (or in this case, you parental unit's name) the creditor will get a message that says not to issue any credit until confirming with you directly at the phone number on the credit report. Not fool-proof, but orders of magnitud
    • First of all, there is nothing that your parents can do to prevent the information from being used fraudulently. It sucks, but that's the system we've got.

      Here is what they can do to minimize their pain:

      1. Put a 90-day fraud alert on all three of their credit files. This can be done over the phone immediately using their automated system.
      2. When they do this, they will get a free copy of their credit reports from all three bureaus. They need to read these reports with a fine-toothed comb and report any inac
  • thief (Score:2, Informative)

    by Anonymous Coward
    It happened to Thrupoint Inc. also (a NY security company). It really sucked.
  • by Fish Heads ( 642181 ) on Sunday February 13, 2005 @02:53PM (#11661349)
    So am I crazy, or shoudl these desktop machines not even be HOLDING this kind of data? Sensitive information (all business-related data in my opinion) belongs on the server, not on individual machiens. The server belongs in a secured, protected space. You should be able to lose all of your "personal" computers and only have the inconvenience of setting up new computers for those users. I would say that loss is the fault of poor IT practices.
    • Yeah, they probably figured their burglar alarm would protect them. But you're right ... it's a lot easy to maintain physical security for computers that aren't accessible to your general workforce.
    • by georgewilliamherbert ( 211790 ) on Sunday February 13, 2005 @03:13PM (#11661508)
      So am I crazy, or shoudl these desktop machines not even be HOLDING this kind of data? Sensitive information (all business-related data in my opinion) belongs on the server, not on individual machiens. The server belongs in a secured, protected space. You should be able to lose all of your "personal" computers and only have the inconvenience of setting up new computers for those users. I would say that loss is the fault of poor IT practices.
      You aren't crazy.

      You're stretching a bit far... all business-related data covers everything on any computer in the company, and it's not reasonable to expect that there's never any local copy of data on any system in the company. Especially with mobile users, but also for network performance / employee usability reasons.

      But key sensitive data, which does include employee files and shareholder identity info as well as key business sensitive data, should be kept on servers which are physically secure, because systems do walk away from offices.

      There is a huge gap between IT typical practice and IT best practice in this area, though. Most businesses don't have nearly enough physical security for the servers, or for physical records (how many just have a toy lock on a filing cabinet with employee data?...).

      Depending on your definition of neglegence, this either clearly wasn't (wasn't any worse than typical businesses) or could have been (a known risk which best practices clearly say not to do).

      • Depending on your definition of neglegence, this either clearly wasn't (wasn't any worse than typical businesses) or could have been (a known risk which best practices clearly say not to do).

        This is a company that regularly does high-security work, and hires people like former CIA directors. They work with sensitive and secret data on a regular basis.

        There is no defence of ignorance here. People who regularly handle secret (and above) data did a bad job of protecting sensitive data. I'd say that this

        • "People who regularly handle secret (and above) data did a bad job of protecting sensitive data. I'd say that this bodes ill for the truly secret data that they have at other sites."

          Not necessarily. Think of it this way. What exactly is the penalty for doing a bad job of protecting personal data? Versus secret and above data?
      • Depending on your definition of neglegence, this either clearly wasn't (wasn't any worse than typical businesses) or could have been (a known risk which best practices clearly say not to do).

        From what I've heard, the break-in took place in a building that did have a fair amount of security associated with it. My guess is that SAIC will be considerably more paranoid with the data after this incident - especially in regards to physical security. The corporate culture is pretty much like a start-up, with a l

    • Sensitive information (all business-related data in my opinion) belongs on the server, not on individual machiens.

      I get the part about not having sensitive information on individual machines. But the server has to give out data to these machines for normal buisness. If I am in billing, I will need some of the customer data from the server. What is to stop someone from just sniffing the data?

      Having worked at a few companies, I know employees will find ways to get around this. I knew one place that did k

    • Welcome to what happens when IT grows instead of being designed. The same sort of issue is what causes a large retailer to use a 4 port linksys hub as the central point of their network, what causes a major company to use an employee's backup machine as the webserver (leading to an outage when someone accidentally kicks a cable while listening to music), or what makes an email server out of a abandoned machine in a hallway (with power cords going to one office, network to another).

      It's because it grows.
      "W
    • As others have said, you're quite sane. Keeping this kind of data on servers is a good principle, too often ignored in practice.

      This particular episode is a special case of a general problem. Every place I've ever worked, I've seen problems with people keeping data on their workstations that should be on servers. This happened even at place with strict policies against using workstation storage for anything except basic software. People will always get around the rules, because it's easier (though not saf

    • One reason SSN gets on to workstations is poor development practices. Frequently database designers key off of SSN, because it is an easy, pre-existing unique ID for a person. Of course these database designers snapshot a production database and copy to their PC, where they probably have SQL Server, IIS, and eDonkey2k running side by side.

      Be warned that trying to set such practices straight is the best way to instantly blacken your yearly review - especially if your boss isn't interested in having his name
      • Frequently database designers key off of SSN, because it is an easy, pre-existing unique ID for a person.

        Of course, the problem here is that SSNs arent unique unless you also add a birthdate, which most people don't do. I'd probably use a sequence number for enumerating peoples' db records.

  • Article (Score:5, Informative)

    by prurientknave ( 820507 ) on Sunday February 13, 2005 @02:53PM (#11661350)
    Break-In At SAIC Risks ID Theft Computers Held Personal Data on Employee-Owners
    By Griff Witte
    Washington Post Staff Writer
    Saturday, February 12, 2005; Page E01


    Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.

    The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security. It has a reputation for hiring Washington's most powerful figures when they leave the government, and its payroll has been studded with former secretaries of defense, CIA directors and White House counterterrorism advisers.

    Those former officials -- along with the rest of a 45,000-person workforce in which a significant percentage of employees hold government security clearances -- were informed last week that their private information may have been breached and they need to take steps to protect themselves from fraud.

    David Kay, who was chief weapons inspector in Iraq after nearly a decade as an executive at SAIC, said he has devoted more than a dozen hours to shutting down accounts and safeguarding his finances. He said the successful theft of personal data, by thieves who smashed windows to gain access, does not speak well of a company that is devoted to keeping the government's secrets secure.

    "I just find it unexplainable how anyone could be so casual with such vital information. It's not like we're just now learning that identity theft is a problem," said Kay, who lives in Northern Virginia.

    About 16,000 SAIC employees work in the Washington area.

    Bobby Ray Inman, former deputy director of the CIA and a former director at SAIC, agreed. "It's worrisome," said Inman, who also received notification of the theft last week. "If the security is sloppy, it raises questions."

    Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed. Haddad said the company does not know whether the thieves targeted specific computers containing employee information or if they were simply after hardware to sell for cash. In either case, the company is taking no chances.

    "We're taking this extremely seriously," Haddad said. "It's certainly not something that would reflect well on any company, let alone a company that's involved in information security. But what can I say? We're doing everything we can to get to the bottom of it."

    Gary Hassen of the San Diego Police Department said there were "no leads."

    Haddad said surveillance cameras are in the building where the theft took place, but he did not know whether they caught the perpetrators on tape. He also did not know whether the information that was on the pilfered computers had been encrypted.

    The stolen information included names, Social Security numbers, addresses, telephone numbers and records of financial transactions. It was stored in a database of past and present SAIC stockholders. SAIC is one of the nation's largest employee-owned companies, with workers each receiving the option to buy SAIC stock through an internal brokerage division known as Bull Inc.

    Haddad said the company has been trying through letters and e-mails to get in touch with everyone who has held company stock within the past decade, though he acknowledged that hasn't been easy since many have since left the company.

    He said the company would take steps to ensure stockholder information is better protected in the future, but he declined to be specific.

    The theft comes at a time when the company, which depends on the federal government for more
  • SAIC (Score:5, Informative)

    by ArmenTanzarian ( 210418 ) on Sunday February 13, 2005 @02:53PM (#11661351) Homepage Journal
    The company has actually been very responsive to this. They sent out a mass email immediately and created a site of what happened and what to do on the company intranet two days later. They have issued updates, police reports, etc. nearly every day since.

    I've occaisionally had issue with the company's size keeping it from being responsive, but this is one thing that got picked up very quickly.
    • Not me. (Score:3, Informative)

      by Baldrson ( 78598 ) *
      I was running the software department for automated ordnance inspection systems around 15 years ago and and I've received no notice. Melvin Laird and Bobby Inman were among the SAIC employees at that time IIRC and I'll be they were notified.
    • Details at Daily Kos [dailykos.com].
    • by T5 ( 308759 )
      I'm sure that's good for the current company-owned employees (haha), but what about us SAIC ex-pats? I've heard nothing about this myself. I've been gone from there (free at last, free at last...) for about 10 years now, but if these computers had stock information, there's a good chance there are thousands of us affected who haven't heard about this yet.
  • insider job? (Score:5, Insightful)

    by tuxette ( 731067 ) * <tuxette&gmail,com> on Sunday February 13, 2005 @02:54PM (#11661365) Homepage Journal
    "...the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed.

    They better start taking a good close look at their own...

  • You're fired! (Score:2, Interesting)

    Someone is going to lose his or her job. We all know that operating systems and applications have bugs. However, most of the break ins are because of unpatched or misconfigured systems, which are administrator faults. 99.99999999999999% of bad guys are too lazy to find holes themselves like Kevin Mitnick did when he broke into Sun to get Solaris and find security bugs. So, they use what is known. Admins must use what it is known to fix those problems.
    • This was not a network intrusion, the article makes it clear that there was a physical breakin of the building, and that whole computers were stolen.
      • It's the same thing people. Whether security is circumvented in cyberspace or in the real world, it is the same thing. In this case, though, they failed to secure sensitive information in the real world.
        • It's the same thing people. Whether security is circumvented in cyberspace or in the real world, it is the same thing. In this case, though, they failed to secure sensitive information in the real world.

          No, it's not the same thing. It's a completely different thing, which has the same end effect.

          This is not just a pedantic argument. Physical Security has a lot of aspects far beyond IT practices (physical files security, safety of employees, etc). While IT was involved since computers were taken, t

  • Only that data? (Score:5, Insightful)

    by mmThe1 ( 213136 ) on Sunday February 13, 2005 @02:56PM (#11661375) Homepage
    Notice the irony:

    "The contractor, employee-owned Science Applications International Corp. of San Diego, handles sensitive government contracts, including many in information security."

    Are we sure it's only the personal data that was compromised? One would be more worried about what *else* was uncovered by whoever-did-this.

    "Ben Haddad, an SAIC spokesman, said yesterday that the Jan. 25 theft, which the company announced last week, occurred in an administrative building where no sensitive contracting work is performed."

    Or is it the case that break-in was *detected* only in one of the buildings? They had to smash windows of the administrative building, to get the keys of the others?

    • Re:Only that data? (Score:5, Interesting)

      by demachina ( 71715 ) on Sunday February 13, 2005 @04:32PM (#11662055)
      It should be noted that SAIC is the same company who just cratered on the FBI's new Virtual Case File [signonsandiego.com] software contract. The one that cost us $170 million dollars and is probably going to be thrown out and replaced with COTS software(which will probably cost millions more). SAIC is one of the elite cadre of companies that specialize in using political influence to land huge government contracts worth billions that they often never deliver anything worth a plugged nickel for. Some other big names CSC, EDS, Lockheed, Boeing, Hallibiburton/KBR, Bechtel....

      Virtual Case File was actually only 1/3 of a larger contract called Trilogy to modernize the FBI's computer systems. In total its a $600 million dollar project and it kind of sounds like the 2/3rds of it CSC is doing isn't going a lot better.

      I'm wagering this is just one of many case studies in the U.S. government squandering money in knee jerk reactions after 9/11 that were awarded before any actual thought had been put in to them. The contractors all make out like bandits though. Remember that when you see the $300-$400 billion budget deficits and the slash and burning of domestic spending to pay for "homeland security". Its open to debate if any of the billions that hve been spent on "homeland security" have actually made the homeland more secure.
    • Are we sure it's only the personal data that was compromised? One would be more worried about what *else* was uncovered by whoever-did-this.

      I did some work for another big defense contractor [bah.com] a while back, and I can tell you that it is extremely unlikely that any sensitive classified data was compromised. Obiously nothing is impossible, but there are many precautions taken with classefied materials.

      For instance, at Booz Allen, it would not have been too difficult to walk off with an unclass computer or tw

  • About Time (Score:3, Insightful)

    by Lord Kano ( 13027 ) on Sunday February 13, 2005 @02:56PM (#11661377) Homepage Journal
    'some of the nation's most influential former military and intelligence officials.'

    Maybe this is just the thing we need to make people get serious about privacy.

    LK
  • by Reignking ( 832642 ) on Sunday February 13, 2005 @02:58PM (#11661394) Journal
    He said the successful theft of personal data, by thieves who smashed windows to gain access

    It looks like Microsoft will be blamed again!
  • These kinds of crimes deserve bigger penalties. This crime is not done by someone who is starving for food and decides to rob a liqueur store. These crimes are done by semi-skilled people, who probabaly are well off, and continue repeating their crimes (I say well off because the obviously have the computers and education). This is not a guy wanting to feed his family who steals a loaf of bread, this is a no good spammer who makes life miserable for everyone else. I say when we catch them, they should hang.
    • Companies are not responsible for military type security.

      Compainies are responsible for protecting the data they collect. If they can't properly protect it, then they shouldn't have it- period.

      I don't want to have to pay an extra 10% for my car so Ford can pay network security people outrageous salaries to protect my costumer information.

      Outrageous and completely uneducated assumption. A decently trained and competant IT staff may cost more, but that is simply a cost of doing business in todays worl
      • maybe youd like to argue that crime is extortion by the police department? or fire extortion by the fire department? Or heart disease extortion by the heart surgions?

        The fire department does not go around setting fires, so they can have more buisness. Heart surgeons are not the ones selling Big Macs. But with computers, it is the same network security people who cause the problems. How many people learn about security by sniffing around, doing war driving, hacking into websites and computers, then afte

        • But with computers, it is the same network security people who cause the problems. How many people learn about security by sniffing around, doing war driving, hacking into websites and computers, then after they learn enough, they go looking for a job? That is why states have to regulate computer and network security professionals.

          They all look the same to you, don't they? The people who crack networks these days are doing it for their own reasons, not as job training. Those of us who do computer securit

    • Great idea, so that way we can assure ourselves that security personnel will exhibit the same degree of honesty and ethical behavior as other state-licensed professionals, such as lawyers and doctors. Sure.

      When will people understand that licensing and certifying people says nothing about whether said individuals will choose to behave in a responsible manner? All a certification process can do is provide evidence of minimal technical competence in a given field (and not even that, necessarily.) We simply
  • by John Seminal ( 698722 ) on Sunday February 13, 2005 @03:08PM (#11661467) Journal
    I am suprised how many people give out their SSN# to anyone who seems legitimate and asks. I never give them out, and you should not either. There is only one reason by law a company can have your SSN#, and that is for paying taxes. If your relationship with the organization does not include paying taxes, then refuse to give them your SSN#. If they deny services, you can sue, it is illegal for them to force you to give them your SSN#. This goes for colleges too, you don't have to give them your SSN#, and they will have to give you a different ID.
    • I thought so too, until I once got bored and asked a Radio Shack drone about the SSN requirement for obtaining a cell phone through them.

      He said that the rationale was as follows:

      If you want to enter into a contract with Radio Shack (or whomever they are reselling service for), then you must provide a SSN.

      Since it is a contract, they won't enter into it unless you provide your SSN. Thus, it is not illegal for them to deny you services, and you cannot compel them through the courts to enter into a contra
      • Ratcrow,

        I did not have any trouble with my cell phone company. When I called to activate the phone, I told the person I did not want to give out my SSN. They did not make a big deal out of it.

        But when I called to get cable in my apartment, the cable company made a big stink out of it. I told them what they were asking was illegal, and that I would sue. I talked to two different people on the phone, and finally the guy told me I would have to make a copy of a bank statement if I did not want to give out

        • If you have a contract with the company to, say, get a better deal on the phone, I'll bet they require the SSN. They run a credit check when you have a contract, and that's always based on SSN.
      • A contract has nothing to do with the Social Security Administration. Being such, a contract does not require your SSN.

        As has been said, the only people that need your SSN are people that need it for tax reporting reasons. In other words, this boils down to you and your employer (provided they do withholdings and such for you).

        Anyone has that requests your SSN has no need of it other than to sell it to someone else.
    • You may want to read this page from the Social Security Administration's website: When Am I Legally Required to Provide my Social Security Number? [ssa.gov]

      It says:

      If a business or other enterprise asks you for your SSN, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by

    • by stewby18 ( 594952 ) on Sunday February 13, 2005 @04:00PM (#11661869)

      There is only one reason by law a company can have your SSN#, and that is for paying taxes. If your relationship with the organization does not include paying taxes, then refuse to give them your SSN#. If they deny services, you can sue, it is illegal for them to force you to give them your SSN#.

      Could you give some sources? I don't believe that your statement is generally true. It's true that there are only a few cases where you are required by law to give out your SSN (the N stands for Number, by the way--a SSN# is like an ATM Machine). However, that doesn't necessarily mean that it's illegal for other companies to ask for your SSN, or refuse you service if you don't give it out. All the sources I can find (this one for example [privacyrights.org]) say that in most cases the most you can do is take your business elsewhere. Some states have laws preventing refusal of service in specific cases (such as utilities), but in general you have no recourse but to complain and/or go elsewhere.

      Before people take your advice and start threatening to sue everyone for violating a law, they should make sure the law actually exists where they are and applies to their situation--otherwise they'll just end up looking looking silly. Besides, it's always much more effective to be able to quote a specific law a company is breaking instead of just making vague claims of illegality.

    • In this case it was the employee stock program and those transactions are reported to the IRS so it's not that suspicious they'd need a SSN for that. But, yeah, I'm with you. If I'm not reporting income from you, you're not getting my SSN. The school, the doctor, anyone else who thinks they need it. It chaps me to no end you have to present an SSN in this state to register to vote. I can't imagine anything easier to hack than state run Windows PC's.

      What's the real teeth grinder on this one is that ma

  • Not identity theft (Score:5, Informative)

    by cookiepus ( 154655 ) on Sunday February 13, 2005 @03:10PM (#11661479) Homepage
    This is not identity theft (yet, anyway)... Stealing people's private data is a breach of security, but it doesn't become identity theft until that data is used in a fraudulent way.

    Someone downthread asked how you can protect yourself... You can't protect your data on someone's system from being stolen, but you can make sure that no one is using your data. Keep track of your credit card bills and reiew your credit report (you can get those for free if you try) and you should be OK.

    The difference is between someone looking into your apartment with binoculars when you change, and someone raping you.
  • by Anonymous Coward
    My Mother is one of the employees on the list. She told me that all of that sensitive info was stored on a laptop. Knowing that much, it's highly unlikely that the data was encrypted. Even a newbie system administrator should know that such data should be on a server that is in a locked, climate controlled room with no windows. SAIC is lucky that their stock is not controlled by the market, cause this sure casts doubt on their competence in computer security.
  • ... what this American obsession with secrecy of "social security numbers" is?

    Surely they can't be a security-by-obscurity magic code that is used both as an identifier and as a password, so that possession of this single piece of information permits identity theft?

    Assuming that it isn't, why do people get so worked up about it?

    (And if it is, well, how daft is that ?!!*?!?**!!?)
    • what this American obsession with secrecy of "social security numbers" is?

      In the US a SSN is the passkey to a lot of information. Even though by law a person is not required to cough up his SSN to corporations (this may have been nullified with the Patriot Act) most companies that have databases on people use the SSN as an index. This is especially true of the major credit companies, which use a person's SSN as the primary key. With a SSN, you can pull someone's credit report and get their whole life.
    • by HeghmoH ( 13204 ) on Sunday February 13, 2005 @05:06PM (#11662301) Homepage Journal
      Surely they can't be a security-by-obscurity magic code that is used both as an identifier and as a password, so that possession of this single piece of information permits identity theft?

      Of course they can! It's stupid, but there you have it.
      • ...why so many people here seem to have very strong objections to identity cards being implemented in the US, looking at the way SSN has been implemented and used.

        Identity cards and identity numbers have been implemented successfully in many other countries. The trick, of course, is that everyone understands that the ID is not a secret, but just an identifier. It cannot be used to verify someone's identity by just producing the number. Once that is understood, that solves most so-called identity theft prob
        • This is wandering off-topic, but what the hey....

          Personally, my objections to a national ID card have nothing to do with identity theft. Having a national ID system makes it likely that the national ID will be required for all sorts of inappropriate things. Will I have to show my national ID to mail a package, buy sports tickets with a credit card, book a train ride, vote, etc.? Once that happens, having a national ID card will be mandatory, whether explicitly or implicitly. Once having and showing an ID c
        • Identity cards and identity numbers have been implemented successfully in many other countries. The trick, of course, is that everyone understands that the ID is not a secret, but just an identifier. It cannot be used to verify someone's identity by just producing the number.

          Well, there are two problems I see: first, ID cards will be accepted as valid, so forged cards will be that much more useful. Second, whether you like it not, people will use the number as an identifier, and demand it all over, just

    • The SSN is the only unique number identifying Americans. We started using it decades ago for these purposes, long before computers were even in use.

      So, if you have someone's name and their SSN, and a little knowledge, you can successfully use that name and SSN to open bank accounts, apply for credit, etc. In many instances, the legitimate owner of that name and SSN has legal difficulty avoiding responsibility for the crook's debts.

      Worse, too many financial instirutions are far too lax regarding how they
    • By virtue of having a SSN aand a matching name, you can then generate other types of ID. Drivers license, birth certificate. Having those, you can generate a history. You can get anything. You can be anyone.
  • by rejecting ( 824821 ) on Sunday February 13, 2005 @03:37PM (#11661717)
    It seems that some of you are living under the delusion that it would be hard to run away with this kind of info. As a Financial Aid Advisor at a university i can tell you that with my database access, a database access that you can recieve with an 6 doller an hour work study position, you could run away with more than 50,000 ssn, phone numbers, all the information posted on the FAFSA (which is pretty much a rehash of your tax return) I think screaming, WHY DIDN'T THEY HAVE THE SAFEGUARDS IN PLACE, is being pedantic. noone is doing anything to keep your info safe. I'm sorry.
  • Actually, I was involved with the initial U of IL prototype of the SAIT plasmascope back in 1975 [saic.com] (doing a 3D [geocities.com] demo) during which transpants from the PLATO project [plasmatvscience.org] to (then) SAI got small amounts of early stock before moving on to other jobs. I'm sure most of them haven't been notified and some of them have dropped off he radar completely.
    • I knew a few people who were involved with the company when it was SAI - and rember hearing stories (ca 1976) about how it was metastizing across La Jolla from the old corporate headquarters in La Jolla - which was originally Scripps Hospital then Scripps Clinic.

      One the key points of SAI stock was that you didn't have to sell it when you left the company.

  • A quick googling [google.com] listed a recent /. discussion [slashdot.org] as the first link. Could this be a step towards doing the same thing to the United States? It seems like exactly the kind of data that would be necessary to tie in information from other sources.

    With the potential to store terabytes in a desktop computer (and terabytes more on media), it's possible to transport the data of entire organizations, corporations, and governmments around. For large amounts of data, probably easier and a whole lot cheaper, too. Just
  • by raider_red ( 156642 ) on Sunday February 13, 2005 @07:16PM (#11663321) Journal
    My last employer's payroll contractor suffered a break-in similer to this. It appears to have been an inside job, since whoever did it managed to bypass three locked doors, a security system, and two armed guards on the building's only entrance. It appeared that they were only after the hardware, but it was treated as ID theft because of the nature of the data it contained.

    We were advised to put fraud alerts in with the credit reporting agencies, get copies of our reports, and then do it again in three months. No one ever used my ID information, but I'm still getting a credit report regularly just because there might be a copy floating around.
  • My SAIC Experience (Score:4, Informative)

    by Slavinski ( 713970 ) on Sunday February 13, 2005 @09:01PM (#11664037)
    Having worked for them, I have to say I have already received a letter but if anything happens, I am holding them liable to maintaining the security of my personal information for any loss. If they aren't in the position to hold it securely and with respect then they should expect some grumbling for present and past employees.

    I won't touch on my experience while working for them. I find the whole ownership thing to be overrated but that's me.
  • I feel so used (Score:2, Insightful)

    by DrTime ( 838124 )
    I used to work for SAIC and I have to hear about this on /. almost 3 weeks after the fact. I've already googled what I need to do. I was disappointed with SAIC as a company, but they were reasonably generous back when I worked for them. Oh well.
  • This sucks! (Score:2, Insightful)

    by JoeKramer ( 545010 )
    As a SAIC employee this just blows. I had to put a ID theft warning on my credit. This story took a long to come out! This took place weeks ago and we where warned about this over 2 weeks ago! hehe
  • by Anonymous Coward on Monday February 14, 2005 @12:36AM (#11665222)
    i've been with SAIC for 4 years now, started off good but now it pretty much sucks. This is the icing on the cake.. i'll wager NO ONE gets fired over this (the CFO and/or CTO should resign). There's not much accountability at SAIC, dumb people just get promoted. I'll be leaving soon, F'em.. and if i get ID theft becuase of this i'll be lining up to sue those stupid f%$k's.
  • The first rule of security is that the computer is only as secure as its physical location. It is really astounding that people configure a server as the electronic equivalent of Fort Knox and then keep it in room where everyone, including the janitor, has access. Is it any wonder that we hear about these smash and grab thefts so often?
  • "Social Insecurity Number", that's how it should be called.

    At least in France we don't have such a universal identifier. Our "social security number" is used only for administrative purpose related to health.

    Public Treasure, other administrations, banks and private companies have each their own numbers.
  • AFAIK, partly from having looked at jobs with them (and finding every single job wants a security clearance), SAIC does almost *nothing* that's not intelligence- or military-related.

    Don't y'all feel *so* secure?

    ROTFLMAO!!!

    mark

Do you suffer painful hallucination? -- Don Juan, cited by Carlos Casteneda

Working...