On July 20/07, SAIC went public with the news that the personal information of certain uniformed service members, family members, and others was found at risk of potential compromise while being processed by SAIC under several health care contracts for the Department of Defense (DoD). The information was held on a single, SAIC-owned File Transfer Protocol (FTP) server at a small SAIC location in Shalimar, FL, and was used for work being done in connection with the TRICARE health benefits program for the uniformed services, retirees and their families. The server was not behind a firewall, did not contain adequate password protections, and sometimes transmitted unencrypted files over the Internet. SAIC stopped using this server when security concerns were raised, and has conducted a forensic audit. The audit does not indicate that the information was ever compromised – but this is one of those “absence of proof is not proof of absence” situations.
SAIC is notifying approximately 580,000 households, some with more than one affected person. There are a total of some 867,000 unique individuals in these households, including minors and infants. The firm is also taking an intelligent approach to crisis response & correction, with a full mini-site covering the situation, a company-wide team to coordinate both the internal response and assistance for those involved, and the services of Kroll, Inc.’s IDTheftSmart identity restoration service on retainer for all families affected. See also Tricare MA release.