Data Processing, Security Breach

My colleague Renae Merle got an interesting disclosure from SAIC on Friday. It seems the federal contracting giant wanted to fess up to a security breach involving personal information about hundreds of thousands of people in the military and their families.

The press release was headlined "SAIC Addresses Possible Data Compromise."

The company said it was processing health care data for the Army, Navy, Air Force and Department of Homeland Security. The records were stored on a company computer that was apparently linked to the Internet but not secured from intruders. In some cases, the information was transmitted over the net without the use of encryption to protect it from prying eyes.

Some 870,000 service members and their families will be told before long that it does not appear their information was inappropriately obtained or used by outsiders. But they'll also be told that "the possibility cannot be ruled out."

Security is one of the great challenges of the day for the federal government. As agencies collect more and more information about Americans, the complexion of the information changes. The more detail, the better the portrait of the person, particularly when it can be analyzed by ever more sophisticated software. Bad guys can do a lot these days with very little information.

According to study after study, the government has not done a very good job of facing up to that challenge, for properly securing the digital mountains of data they're collecting about us and our lives. Add in the difficulty of overseeing how contractors manage our information, and you have a formula for trouble.

It appears as though SAIC is jumping on its own problem. In an "open letter," SAIC Chairman Ken Dahlberg offered a "personal apology" for the lapse. He also said that a number of SAIC employees were "placed on administrative leave" pending the outcome of an internal probe.

"It is completely unacceptable," he said of the breach. "We did not live up to the high level of performance that our customers have learned to expect and demand from us."

By Robert O'Harrow |  July 23, 2007; 6:23 AM ET security
Previous: The Price Of Health Care | Next: Fool Me Twice

Comments

Please email us to report offensive comments.



So SAIC "wanted to fess up?"

The Department of Defense implemented a policy in 2005 that requires notification in this type of situation, and the requirement applies to defense contractors, too. You can see the DoD's 2005 memo on that here: http://www.dtic.mil/whs/directives/corres/memos/LostInfo.pdf

Posted by: Dissent | July 23, 2007 9:31 AM

SAIC has a growing track record of inept handling of government and even its own sensitive corporate information.

Carp all you want, however--the company's quick and thorough response is top notch, compared to, say, the late and bumbling and in-denial response of the Dept. of Veterans Affairs last year.

Posted by: Jumbotron | July 23, 2007 2:53 PM

Jumbotron: I don't think anyone who reads the news would disagree that the VA has been absolutely the pits in terms of both preventing incidents and then handling them.

And as I noted in my blog entry about the SAIC incident at http://www.pogowasright.org/blogs/dissent/?p=549#more-549 I don't think that they should be held out as the sole problem or poster child for lack of security over health information. There are other incidents and too many "repeat offenders" when it comes to incidents involving personally identifiable information and health-related information.

In a report to the House Committee on Government Reform last year, the HHS reported that it had 24 incidents between January 2003 and July 2006. I don't think any of them were ever reported in the media, and only four of them were summarized in the Committee's report.

There are way too many incidents we are not being told about, and we need greater transparency -- and mandatory disclosure.

Then we need to figure out what better proactive strategy we need, and what consequences there should be for failure to adhere to security and privacy protections.

Our system is broken and it needs fixing.

OK, now I'll step down off my soapbox. :)

Posted by: Dissent | July 23, 2007 3:17 PM

mmmmmmm

Posted by: mmmm | July 24, 2007 8:03 AM

lalo lei ma32ul

Posted by: sabe | July 24, 2007 8:05 AM

gxpfmzcb xgjopnbkt inyr gbysutf kuhwpctfv nwdc gckldviz

Posted by: vkzaou khwu | August 24, 2007 8:43 AM

ocgsz ohaqtcux fkiga gxlfkbdj akeo qrwhto fqczwor http://www.mvgrcfiqz.svxz.com

Posted by: sohyzl toqwgy | August 24, 2007 8:44 AM

The comments to this entry are closed.

 
 

© 2007 The Washington Post Company