California defense contractor warns employees following computer theft

Security Focus and Associated Press ^ | February 3, 2005

[bd476]

California defense contractor warns employees following computer theft

The Associated Press Feb 3 2005 3:16PM

"Thieves stole several computers containing personal information on 45,000 current and former shareholders of defense contractor Science Applications International Corp., which began alerting those people on Thursday.

SAIC is one of the nation's largest employee-owned companies.

The computers stolen from an SAIC administrative building in San Diego contained the name, Social Security number, address and telephone number of current and former shareholders, including the number of shares bought, held and sold.

The company said it had no evidence that the thieves accessed the information or that the purpose of the crime was identity theft, but began notifying current and former shareholders as a precaution.

"We're extremely concerned. This is a very serious matter. We're taking every precaution we know how," SAIC spokesman Ben Haddad said Thursday.

Thieves smashed three ground-floor windows and pried open the doors to 13 offices early on Jan. 25, San Diego police Detective Gary Hassen said.

No government or commercial work was performed at the building where the break-in occurred. SAIC, which has annual revenue of about $7 billion, is involved in some of the U.S. government's most sensitive work, from redesigning Army combat systems to bioweapons defense and improving electronic snooping for the National Security Agency.

Employees of the San Diego-based company can buy and sell shares among themselves once every three months at a price fixed by an outside auditor, based on SAIC's operating income and competitors' stock prices.

The computers contained the information of tens of thousands of people who bought or sold SAIC shares in the past several years, Haddad said.

SAIC is reassessing its security procedures."

[bd476]

"No government or commercial work was performed at the building where the break-in occurred. SAIC, which has annual revenue of about $7 billion, is involved in some of the U.S. government's most sensitive work, from redesigning Army combat systems to bioweapons defense and improving electronic snooping for the National Security Agency."

Oh, I'm going to sleep better tonight after reading that paragraph...

[Gunrunner2]

And knowing quite a few SAIC guys, I haven't sleep well for a long time. . .

;-)

[1FASTGLOCK45]

I wonder if this is the same city where they said the cops weren't going to answer alarms anymore because of false alarms?

[X_CDN_EH]

Why are companies keeping sensitive data on PC's? (I figure they are PC's because thieves stole several computers...

[bd476]

SAIC is in the defense industry with main headquarters in San Diego. It's well known to applicants for the stringent security, employee background checks and security clearances because of its international reputation for "research."

The company is very active right now, and it's hard to believe that the burglars accidentally broke into an office holding just employee information.

What in the world prevented SAIC from having better security?

NSA info alone could have been motivation for the break-in.

[bd476]

1FASTGLOCK45 said: "I wonder if this is the same city where they said the cops weren't going to answer alarms anymore because of false alarms?"

I believe that is Los Angeles.

If SAIC's security alarm went off, it would have been a very unhappy San Diego Police dispatcher who didn't push some red buttons.

[1FASTGLOCK45]

Sounds like security needs to be redone at that building, bet that alarm guard no longer has a job. To be able to smash 3 windows and break into 13 offices, makes quite a alot of noise...

[bd476]

Argh, Gunrunner2. :)

[ProudVet77]

>>"Why are companies keeping sensitive data on PC's?"
That's a real good question. Whoever set up the system doesn't appreciate security. There are a few very simple fundamental things that can be done to stop most of this kind of theft.

[bd476]

1FASTGLOCK45 said: "Sounds like security needs to be redone at that building, bet that alarm guard no longer has a job. To be able to smash 3 windows and break into 13 offices, makes quite a alot of noise..."

It should not have happened in the first place. That place was like Fort Knox in daylight hours at least in past years.

There is not just one security guard, it would be a system of security to get through first. Breaking windows and getting into SAIC would be about as easy as doing the same in any defense industry building in D.C.

[Flyer]

My web hosting company has better security.

Web-hosting company Advanced Internet Technologies (AIT) is big on security. Not necessarily the firewall, virtual private network, virus detection type of thing. More like the barbed wire, munitions closet, and paratrooper type of security. The Fayetteville, N.C.-based company has razor wire fences, painted black windows in some areas, and even a munitions closet with 12-gauge shotguns and 9-millimeter Beretta pistols. Its data centers are protected by 8-inch reinforced concrete and 24-hour guards.

Source

[bd476]

Flyer, I thought you were kidding until I read the article. Thanks for the link.

At least, some time ago, SAIC would have been a role model for that company.

It's a puzzle how the people got in. It's beyond comprehension that they got out with company computers.

[bd476]

It turns out that SAIC won a bid to design software for tracking terrorists and managing case files for the FBI. The FBI paid $100 million dollars for the software.

SAIC turned the software over to the FBI some time ago and the FBI found many glitches.

Back and forth negotiations have led to another company advising the FBI to bail out on using the SAIC designed software. $100 million dollars down the tube and now the discovery that SAIC has major security problems.

SAIC says FBI should deploy its software

[OldFriend]

Just doesn't pass the smell test.

[OXENinFLA]

And they don't have ALARMS?!?!?!?!?!?

[bd476]

They had security which could make the most uptight super spy uncomfortable. Not sure what happened but it's the stuff spy movies are made of.

Just seems weird that SAIC alleges burglars only stole computers which contained employee information.

If someone was smart enough to outwit SAIC's security system, they would know who SAIC works for (defense industry) and would also understand the value of anything they could get their grubby hands on.

Smash and grab burglaries don't work in the defense industry or at least they shouldn't.

[Gunrunner2]

You make excellent sense.

[bd476]

Thanks for the kind words. :)

[CJinVA]

I’m an ex-employee. I was told that one of the computers had Electronic Fund Transfer data on it. Having this kind of info on a desktop computer is stupid.

I don’t think they have disclosed all of the details of this.

[bd476]

Thanks, Vigl. I agree. Something seems odd - the timing is bizarre. Either SAIC is very unlucky or something's rotten in San Diego.

[bd476]

If you like mysteries, you'll love this two-headed story:

• theft of many computers from a defense industry company in San Diego and
  
• software with built-in design flaws purchased by the FBI from the burglar-ed defense industry company for $100 million dollars.

It turns out that a defense industry company, SAIC in San Diego won a bid in 2001 to design software for tracking terrorists and managing case files for the FBI. The FBI paid $100 million dollars for the software.

SAIC turned the software over to the FBI some time ago and the FBI found many glitches.

Back and forth negotiations have led to another company advising the FBI to bail out on using the SAIC designed software. $100 million dollars down the tube and now the discovery that SAIC has major security problems.

The CEO of SAIC, Arnold Punaro was supposed to testify in a Senate subcommittee yesterday regarding SAIC's dispute over the software with the FBI but Chairman Senator Gregg and Senator Leahy postponed his testimony until another date.

Link to the thread with the second 1/2 of the story:

SAIC says FBI should deploy its software

[robomurph]

I too, am an ex employee. I wonder if this was the small executive office in La Jolla rather than the main campus on Campus Point Drive.

[ironman]

"now the discovery that SAIC has major security problems"

Having 2 PCs stolen from their Stock Programs department is hardly an indication the company has a major security problem.

[bd476]

According to the article, after smashing three windows the thieves took several computers out of 13 broken into offices.

Ironman, what would you define as a security problem in an international defense industry corporation?

From the article: "Thieves stole several computers containing personal information on 45,000 current and former shareholders of defense contractor Science Applications International Corp., which began alerting those people on Thursday..."

"...Thieves smashed three ground-floor windows and pried open the doors to 13 offices early on Jan. 25, San Diego police Detective Gary Hassen said."

Ironman wrote: "Having 2 PCs stolen from their Stock Programs department is hardly an indication the company has a major security problem."

[ironman]

Sounds like an isolated incident where 2 pcs got ripped off, not a systemic problem. Companies get laptop's and other valuables ripped off all the time by thieves who sneak their way past the employee entrances after the employee badges in.

[bd476]

From: New York Times

F.B.I. Director Faults Himself for Delays of Software

By MICHAEL JANOFSKY
February 4, 2005

ASHINGTON, Feb. 3 - Robert S. Mueller III, the director of the F.B.I., told a Senate panel on Thursday that he and a federal contractor were to blame for agents still not having software that would allow them to file investigative and intelligence information directly into their computers.

Appearing before an appropriations subcommittee whose Democratic members did little to shield their irritation, Mr. Mueller also said the failed efforts to develop the program, known as Virtual Case File, or V.C.F., would cost taxpayers as much as $105 million. He explained that a test now under way could determine whether part of the program could be salvaged or whether it would have to be scrapped.

"I am responsible, at least in part, for some of the setbacks," he said, adding quickly, "however, the contractor responsible for V.C.F. bears some responsibility."

"No one is more frustrated and disappointed than I at the delays we have encountered," he said.

Mr. Mueller's concession came on the same day the inspector general of the Justice Department issued a 95-page report chronicling the failure of the Federal Bureau of Investigation to complete the third phase of technological upgrades, a $581 million project known as Trilogy that began in late 2000. The project took on urgency after the September 2001 terrorist attacks, when it became clear that agents who still relied heavily on pens and paper could not easily send and share vital information.

The report noted that the first two phases were completed - upgrades of the bureau's hardware and software and communications networks. But it concluded that modernizing an "antiquated case management system" was far from complete after three years of trying, at a cost of $170 million. Mr. Mueller told the panel that the bureau still had $53 million in usable hardware and software and $12 million left to spend in the program.

Despite Mr. Mueller's assurances that the bureau finally had control of the effort, questions to him were, at times, unusually spicy for the austere setting of a Senate hearing room. At one point, Senator Patrick J. Leahy, Democrat of Vermont and ranking member of the subcommittee on commerce, justice and the judiciary, expressed testiness over Mr. Mueller's failure to bring up problems with Trilogy at a hearing last May. And Senator Barbara A. Mikulski, Democrat of Maryland, pressed Mr. Mueller to identify who at the bureau was going to "get this back on track?"

"The pope's in charge of the Catholic Church," Ms. Mikulski said, "but who's in charge of the confessional?"

With a broad smile, Mr. Mueller assured Ms. Mikulski, "I'm in charge of the confessional."

Besides citing a lack of proper oversight from the bureau, Mr. Mueller said the company hired to develop the Virtual Case File system by December 2003, Science Applications International Corporation of McLean, Va., had produced a software program that was fraught with problems. The company, he said, agreed to make fixes within a year at an additional cost, conditions that Mr. Mueller said were "unacceptable to the F.B.I."

Nonetheless, he said he decided to test parts of the program with agents in the bureau's New Orleans office and to hire another company, Aerospace Corporation of El Segundo, Calif., to determine whether the overall program both met the original requirements and could be saved. He told the panel that Aerospace could find "no assurance" that Science Applications had produced a suitable program.

"Needless to say, Mr. Chairman," Mr. Mueller said to Senator Judd Gregg, Republican of New Hampshire, "after three and a half years, this was disappointing news."

Officials from the two companies were scheduled to testify after Mr. Mueller, but Mr. Gregg called a recess in the hearing because of other commitments, promising to reschedule their appearances.

In his written testimony, Arnold L. Punaro, executive vice president of Science Applications, defended his company's work, saying it had been hampered by the ever-changing needs of the F.B.I. after the 2001 attacks. While Mr. Punaro acknowledged "some areas where we made mistakes," he said his company delivered a "successful" project to the bureau two months ago.

But in his prepared remarks, Garry P. Pulliam, a senior vice president at Aerospace, said his company had recommended scrapping Mr. Punaro's program and starting over with commercial off-the-shelf products.

Mr. Punaro said Aerospace had analyzed the wrong software and presented the F.B.I. with a "flawed report."

[bd476]

Ironman wrote: "Sounds like an isolated incident where 2 pcs got ripped off, not a systemic problem..."

Oh, I'm sorry, Ironman, my mistake. I did not understand that your definition of the word "several" is two.

"Thieves stole several computers containing personal information on 45,000 current and former shareholders of defense contractor Science Applications International Corp., which began alerting those people on Thursday..."

"...Thieves smashed three ground-floor windows and pried open the doors to 13 offices early on Jan. 25, San Diego police Detective Gary Hassen said."

[nw_arizona_granny]

Ping

[Myrddin]

Having 2 PCs stolen from their Stock Programs department is hardly an indication the company has a major security problem.

Stock programs are run out of building A on Campus Point Drive. It is administrative and legal offices. Normal card key access on the doors and a security/receptionist during business hours. It is a simple, unfortified business office. The classified stuff is down the street. It is built like Ft. Knox and has 24X7 armed security.

[TexasCowboy]

And the beat goes on........and on.

Unbelievable!