SAIC addresses possible data compromise

Personal information of certain uniformed service members, family members and others was placed at risk for potential compromise while being processed by SAIC under several health care data contracts for military service customers, the company said today.

SAIC remedied the security lapses upon learning of them and began working with the customers to mitigate any potential impact. Forensic analysis has not yielded any evidence that any personal information was actually compromised; however, the possibility cannot be ruled out. SAIC is notifying approximately 580,000 households, some with more than one affected person.

“We deeply regret this security failure and I want to extend our apologies to those affected by it,” Chairman and CEO Ken Dahlberg said. “We are concerned about the inconvenience and risk of potential compromise of personal information this may cause. The security failure is completely unacceptable and occurred as a result of clear violations of SAIC’s strong internal IT security policies. In this instance, we did not live up to the high level of performance that our customers have learned to expect and demand from us. We let down our customers and the service members whom we support. For this, we are very sorry.”

The information was stored on a single, SAIC-owned, non-secure server at a small SAIC location, and in some cases was transmitted over the Internet in an unencrypted form. The contracts were with customers in the Departments of the Army, Navy, Air Force and Homeland Security. The work was being done in connection with TRICARE, the health benefits program for the uniformed services, retirees and their families. The personal information at risk varies by individual, but could include combinations of names, addresses, Social Security numbers, birth dates, and/or limited health information in the form of codes.

The company has responded to this situation in a comprehensive way by taking the following actions:

conducted a detailed forensic analysis of the server and data, which included assistance from some of the company’s and the government’s top experts in computer security;

launched an internal investigation using outside counsel to determine exactly how this security failure occurred and placed a number of employees on administrative leave pending the outcome of the investigation;

established a company-wide task force to ensure that the company responsibly addresses any adverse impact on the company’s customers and any affected individuals;

initiated a systematic, company-wide assessment to assure that such lapses do not exist elsewhere in the company and determine whether any changes in policy, methods, tools and monitoring are needed to make sure that such a lapse does not recur.