Security lapse threatens service members’ data

SAIC Inc., a defense contractor specializing in computer services, may have transmitted personal information about U.S. military service members and their relatives over the Internet without encrypting the data first.

The company is notifying about 580,000 households, some with more than one person affected, San Diego-based SAIC said Friday in a statement. Although there’s no evidence any personal information was compromised, SAIC said the possibility “cannot be ruled out.”

The information was stored on a single, SAIC-owned, nonsecure server at an undisclosed location, the company said. The data were being processed under healthcare contracts the company had with the Army, Navy, Air Force and Homeland Security Department. The information at risk included names, addresses, Social Security numbers, birth dates and coded health information, SAIC said.

“The security failure is completely unacceptable and occurred as a result of clear violations of SAIC’s strong internal IT security policies,” Chief Executive Ken Dahlberg said.

The company estimated it would cost from $7 million to $10 million to “mitigate any potential inconvenience or harm” the incident may have caused. The expense will be included in results for the second quarter ending July 31. The cost doesn’t include expenses for credit restoration services if identity theft occurred, SAIC said.

The company said it had placed “a number” of employees on administrative leave pending the outcome of an internal investigation to determine how the security lapse occurred.

SAIC hired investigative firm Kroll Inc. to aid any service member or relative who was affected. Kroll will create an “incident response center” with extended hours to provide free credit and identity restoration services for any victims of identity theft.