CEO Letter to SAIC Employees

Date: July 20, 2007
From: Ken Dahlberg
To: All SAIC employees
Subject: Meeting Our Obligations on Sensitive Customer Data

A security failure by an SAIC organization in the handling of customer data placed the personal information of certain uniformed service members, family members and others at risk of potential compromise.

We deeply regret this failure and offer our apologies to our customers and to those whose personal information was placed at risk. Our forensic examination has not yielded evidence that the information was compromised; however, we cannot prove that it was not.

The customer data in question involves contracts with customers in the Departments of the Army, Navy, Air Force and Homeland Security. The information was stored on a single SAIC-owned, non-secure server at a small SAIC location, and in some cases was transmitted over the Internet in an unencrypted form. The work was being done in connection with TRICARE, the health benefits program for the uniformed services, retirees and their families. The personal information at risk varies by individual, but could include combinations of names, addresses, Social Security numbers, birth dates, and/or limited health information in the form of codes.

The security failure is completely unacceptable and occurred as a result of clear violations of SAIC's strong internal IT security policies. We did not live up to the high level of performance that our customers have learned to expect and demand from us. We let down our customers and the service members whom we support. We can and must perform flawlessly for our customers. We are working hard to see that this does not happen again, that all comply with policy, and that we all know that failure to comply will not be tolerated.

We are very concerned about the inconvenience and potential harm that the possible compromise of personal information may cause. Therefore, we intend to offer to affected persons the services of Kroll Inc. Kroll will provide affected persons with information on credit, fraud and identity theft matters. Kroll will staff an Incident Response Center with extended hours for the convenience of those located overseas, for whom calling during the U.S. business day is a hardship. In addition, SAIC will provide its own experts who will be available to take referrals from Kroll when Kroll personnel are unable to satisfy caller questions or concerns. If anyone should become a victim of identity theft as a result of this situation, Kroll will help them restore their identity and credit. Hopefully this will never be necessary. While these actions will come at significant expense to the company, we are committed to responsibly addressing any adverse consequences to our customers and the uniformed service members involved.

We take the requirement to protect our customers' data with the utmost seriousness. Again, this lapse resulted from the actions of a few employees and regrettably we let our customers and the affected uniformed service members down. I know I speak for all of us when I say this failure is a professional embarrassment.

We are responding to this situation in a comprehensive way to ensure that circumstances like this do not reoccur.

  • To understand the scope and impact of the security lapses, we conducted a detailed forensic analysis of the server and data, which included assistance from some of our own and the government's top experts in computer security. There is no evidence to date of a compromise, however we cannot say with certainty that there was not. We also launched an internal investigation using outside counsel to determine how this security failure occurred. Pending completion of this inquiry, a number of employees in the organization involved have been placed on administrative leave.
  • To support our customers and affected service members and their families, a task force was established to identify ways to mitigate any adverse impact on them resulting from this situation. This task force concluded that providing Kroll's support to affected individuals was the right thing to do.
  • We are working to identify lessons learned to ensure that security lapses like this do not reoccur in the future.
  • To assure that such lapses do not exist elsewhere in the company and to determine whether any changes in policy, training methods, tools and monitoring are needed, we initiated a systematic, company-wide assessment.

SAIC employees work hard to live up to the requirements of our core values and SAIC credo - to meet our contractual obligations and perform ethically in pursuit of customer success. We must continue to do that, earning the confidence of our customers every day with hard work and honest performance.


Ken Dahlberg
Chairman of the Board and Chief Executive Officer

 


© Science Applications International Corporation. All rights reserved. This page was printed from www.saic.com.