Government contractor SAIC disclosed late Friday 20 that it had transmitted personal data on 580,000 military personnel and their families over the Internet without encrypting the information, and that the data had been stored on an unsecured server, putting the individuals at potential risk of identity theft and fraud.
The breach took place at an undisclosed SAIC location in Shalimar, Florida. The San Diego-based company claimed its internal investigations did not find any evidence that the information had been used for fraud or identity theft, but the possibility could not be ruled out.
SAIC was handling the data for health care processing claims made through TRICARE, the main military health care network. The company was providing assistance to the Army, Navy, Air Force, and the Department of Homeland Security.
SAIC spokespeople said that several employees were placed on leave after the incident was disclosed, and that it contracted data security company Kroll Inc. to provide free identity theft protection for all affected individuals for one year.
SAIC chairman and CEO Ken Dahlberg said the breach was "completely unacceptable and occurred as a result of clear violations of SAIC's strong internal IT security policies." In a letter posted on the company Web site, Dahlberg said that "We did not live up to the high level of performance that our customers have learned to expect and demand from us."
SAIC acknowledged that costs from the data breach may cost it anywhere from $7 to $10 million, excluding payment for credit protection services from Kroll for anyone who requests them. SAIC is the fifth largest government contractor, with $4.4 billion in annual revenue and command of numerous military and defense-related projects.
Although SAIC's high concentration of ex-government and military staff ensures it gets top access to choice contracts, it has also come under fire for cost overruns and problems in completing projects.
SAIC was responsible for the FBI's massive "Virtual Case File" technology upgrade, which cost taxpayers $170 million and ended up being scrapped as unusable.
SAIC is also no stranger to data breaches. The company reported in February 2005 that thieves broke into an SAIC facility on Jan. 25 and stole personal computers containing sensitive data on 45,000 employees, including names, addresses, Social Security numbers, and financial information.
Ironically, the SAIC breach was reported just days prior to the news that Nigerian criminals had bought the records of 145,000 people from global data broker ChoicePoint.