Alex Constantine - July 24, 2007
Jul 23 2007
A federal contractor has said it put hundreds of thousands of military households at risk for identity theft by sending their personal information, including Social Security numbers, over the internet through an unencrypted channel.
San Diego-based SAIC, which provides scientific, engineering, systems integration and technical services to military and federal government agencies, said that personal information of about 580,000 uniformed military personnel and their family members was placed online while being processed by SAIC under several health care data contracts, according to a statement.
The processing was part of TRICARE, the health benefits program for the uniformed military services, retirees and their families, according to SAIC.
"The security failure occurred as a result of clear violations of SAIC's internal IT security policies," SAIC chairman and CEO Ken Dahlberg said. "We did not live up to [what] our customers have learned to expect and demand from us."
The information exposed varies by individual, the company said. It includes combinations of names, addresses, Social Security numbers, birth dates or limited health information in the form of codes.
Among those impacted are personnel in the Army, Navy, Air Force and Homeland Security.
SAIC said it is working to reduce the potential impact of the security lapse. The company said that, while forensic analysis has not provided evidence that any personal information was compromised, "the possibility cannot be ruled out."
SAIC has developed an "incident response center" and hired Kroll, a risk consulting company, to provide services to military members whose information was exposed. The services include credit and identity restoration help for any victims of related identity theft.
SAIC revealed that it expects the cost of these services to range from $7 million to $9 million, excluding credit restoration services if any identity theft occurs as a result of the exposure.
The company has launched an internal investigation to determine how the security snafu occurred and placed several employees on administrative leave. It has also initiated a risk-assessment program to uncover other possible vulnerabilities and to determine the kinds of changes in policy, methods, tools and monitoring required to avoid future security lapses.