Just when I thought that most organisations would have learned the lessons from the recent spate of high profile data breaches, we hear that SAIC has admitted placing at risk the personal data of over half a million military service personnel.
It’s surprising as one would have expected military personnel records to warrant tighter security than the average personnel database. It’s even more extraordinary when one considers SAIC’s background in IT security, having founded the original Information Sharing and Analysis Centres (ISACs), and currently claiming a strong capability in physical and cyber security. To quote their Web site: “Our engineers are experts in safeguarding information, systems, and web sites. With our approach to security services, SAIC can help you effectively manage risk and protect your business-critical data.”
So what happened? Details are a little sketchy but SAIC have admitted storing personal data on a “non-secure server” and transmitting it over the Internet in unencrypted form. According to one US newspaper report, the company was notified by the US Air Forces in Europe that it had detected an unsecured transmission of the information. Of course there’s no reason to suspect that any of this data has been compromised, other than the fact that Defense systems do attract a fair amount of hacking and eavesdropping attacks.
It’s interesting to note the immediate actions and costs following such an incident. SAIC have retained Kroll to provide services to affected individuals, including an Incident Response Centre with extended hours, information resources and credit and identity restoration services for any identity theft victims. The cost of these services is estimated to be in the range of $7 million to $9 million for services, excluding credit restoration costs. That’s around $12 to $15 per individual record potentially compromised. With potentially more to come.
So what could have been done to prevent such breaches? Plenty, including ensuring that regular penetration tests and information security audits are carried out of all in-house and outsourced services. That’s why we developed the ISO 7799 standard and its associated certification schemes. Now that we have standards and mechanisms to certify services, there’s no excuse for not using them.