Questions & Answers

1. What are the details of the incident?
2. What type of information was exposed?
3. Was personal information compromised?
4. How and when will I be notified if my personal information was at risk of compromise?
5. Why wasn't I notified sooner?
6. If my notification letter doesn't include specifics on who in my household was affected, how can I find out?
7. Who is SAIC?
8. Why is SAIC sending me this letter and who is the signer Arnold Punaro?
9. What is SAIC doing to protect affected individuals against possible identity theft?
10. What is SAIC doing to prevent this from happening again?
11. Where can I get more information?
12. What can I do to protect myself against identity theft?
13. What should I do if I notice suspicious activity on my account?

1. What are the details of the incident?

The personal information of certain uniformed service members, family members, and others was found at risk of potential compromise while being processed by SAIC under several health care contracts for the Department of Defense (DoD). The information was held on a single, SAIC-owned File Transfer Protocol (FTP) server at a small SAIC location in Shalimar, Florida. The information was for work being done in connection with TRICARE, the health benefits program for the uniformed services, retirees and their families. The server was not behind a firewall and did not contain adequate password protections, which is in violation of SAIC policy. SAIC stopped using this server when security concerns were raised.

SAIC is notifying approximately 580,000 households, some with more than one affected person. There are a total of some 867,000 unique individuals in these households, including minors and infants. All affected will be covered either by an individual or a household letter.

2. What type of information was exposed?

The information at risk varies by individual, but could include combinations of names, addresses, Social Security numbers, birth dates, and/or limited health information in the form of codes.

3. Was personal information compromised?

SAIC has conducted extensive data and forensic analyses of the affected server to determine the scope of the potential compromise and identify any evidence of unauthorized access to the data. We engaged the help of the government's foremost computer security experts as well. The forensic analysis has yielded no evidence that personal information maintained on the server was removed or compromised; however, we cannot rule out that possibility.

4. How and when will I be notified if my personal information was at risk of compromise?

In compliance with privacy regulations, potentially impacted persons or households are being notified of the risk. SAIC, in coordination with the government, is sending one notification letter per identifiable adult (e.g., service member, spouse, dependent parent) or one per family when there is an affected dependant in a service member sponsor's household. The letter will be sent from ID TheftSmart™ and delivered by the U.S. Postal Service. This package will include a letter from SAIC, a letter from the government, and information from Kroll Inc. on their IDTheftSmart™ identity restoration service.

5. Why wasn't I notified sooner?

SAIC has been working around the clock with the DoD to identify the information that was at risk of compromise, the contracts that had data on the FTP server, and the unique number of individuals that had data on the FTP server. In particular, the relevant folder contained an incredibly large amount of data - almost 4 Gigabytes - divided into almost 1000 different files. Each file had to be opened manually, reviewed for content, entered into a database, correlated with a specific contract, and associated with a particular government agency. Then, SAIC was required to coordinate this data with the Government's DEERS database to eliminate duplications and to obtain current mailing information for each individual. We regret that the information required to initiate notification was not available sooner, but we wanted to ensure that it was both accurate and timely. SAIC's notification process has complied with all applicable DoD guidelines.

6. If my notification letter doesn't include specifics on who in my household was affected, how can I find out?

The notification letter being sent by ID TheftSmart™ to identified adults or households contains the necessary authentication and specific contact information needed for access to ID TheftSmart™ services.

Dedicated telephone lines are reserved for use by those individuals identified and notified in writing by SAIC, in coordination with the government, about this incident. Individuals calling in for assistance will be asked to provide their ID TheftSmart™ member identification number as verification. The member identification number is contained in the ID TheftSmart™ notification letter being delivered by the U.S. Postal Service.

7. Who is SAIC?

SAIC is a leading provider of scientific, engineering, systems integration and technical services and solutions to all branches of the U.S. military, agencies of the Department of Defense, the intelligence community, the U.S. Department of Homeland Security and other U.S. Government civil agencies, as well as to customers in selected commercial markets.

8. Why is SAIC sending me this letter and who is the signer Arnold Punaro?

SAIC is working closely with its government customers to mitigate the inconvenience and potential harm the possible compromise of personal information may cause. In accordance with applicable regulations, the United States Government is obligated to provide written notice to individuals in those situations where personal information could potentially have been compromised. In this instance, SAIC sought and received permission from the Government to send the notices to affected persons at no cost to you or the Government.

Arnold Punaro is one of SAIC's most senior executives responsible for Government Affairs, Communications and Support Operations. He is a retired Marine Corps Major General with extensive experience in military personnel matters. Because of his experience in the military, the government, and crisis management, he was named by SAIC's CEO to run the company-wide task force to bring all the necessary resources of the company to bear on this important process.

9. What is SAIC doing to protect affected individuals against possible identity theft?

SAIC is very concerned about the inconvenience and potential harm that the possible compromise of personal information may cause. Therefore, SAIC will provide affected persons with the services of Kroll Inc. Kroll will staff an Incident Response Center to provide affected persons with information on credit, fraud and identity theft matters, and a free, one-year membership in Kroll Inc.'s IDTheftSmart™ identity restoration service. SAIC will also provide its own experts who will be available to take referrals from Kroll when it is appropriate for questions or concerns to be re-directed to SAIC. If anyone should become a victim of identity theft as a result of this situation, Kroll will help them restore their identity and credit.

The notification letter being sent by ID TheftSmart™ to identified adults or households contains the necessary authentication and specific contact information needed for access to ID TheftSmart™ services.

The Incident Response Center was established for use by those individuals identified and notified in writing by SAIC, in coordination with the government, about this incident. Individuals calling in for assistance will be asked to provide their ID TheftSmart™ member identification number as verification. The member identification number is contained in the ID TheftSmart™ notification letter being delivered by the U.S. Postal Service.

10. What is SAIC doing to prevent this from happening again?

The practices used at the location that put the information at risk were halted. We take the requirement to protect our customers' data with the utmost seriousness. These security lapses occurred in violation of both SAIC and DoD policy. They are inconsistent with SAIC's well-earned reputation as a leader in information security. We are taking action to ensure that they do not reoccur.

In response to the security failure, SAIC:

• Established a company-wide task force to ensure that the company responsibly addresses any adverse impact on the company's customers and any affected individuals.
• Conducted a detailed forensic analysis of the server and data, which included assistance from some of the company's and the government's top experts in computer security.
• Initiated a systematic, company-wide assessment to assure that such lapses do not exist elsewhere in the company and determine whether any changes in policy, methods, tools and monitoring are needed to make sure that such a lapse does not recur.
• Launched an internal investigation using outside counsel to determine exactly how this security failure occurred and placed a number of employees on administrative leave pending the outcome of the investigation.

11. Where can I get more information?

The following resources are available to answer your questions:

The notification letter being sent by ID TheftSmart™ to identified adults or households contains the necessary authentication and specific contact information needed for access to ID TheftSmart™ services.

The Incident Response Center was established for use by those individuals identified and notified in writing by SAIC, in coordination with the government, about this incident. Individuals calling in for assistance will be asked to provide their ID TheftSmart™ member identification number as verification. The member identification number is contained in the ID TheftSmart™ notification letter being delivered by the U.S. Postal Service.

12. What can I do to protect myself against identity theft?

There is a wealth of information available about identity theft for you and your household members at the consumer protection web sites of the Federal Trade Commission (FTC), Department of Defense (DOD), and TRICARE:

• FTC: Fighting Back Against Identity Theft
• FTC & DoD: Military Sentinel
• TRICARE: ID Theft Resources

These sites provide valuable information regarding identity theft prevention and steps that individuals can take should problems develop.

Monitor your credit
Common advice includes routinely monitoring your financial accounts and billing statements for suspicious activity. Credit reports contain information about you, including what accounts you have and how you pay your bills. The law requires each of the major nationwide consumer reporting agencies to provide you with a free copy of your credit report, at your request, once every 12 months. Best practice recommends requesting a credit report every four months, rotating through the three nationwide consumer credit reporting companies with each request.

To order your free annual report from one or all the national consumer reporting companies:

• Visit www.AnnualCreditReport.com
• Call toll-free 877-322-8228 or
• Complete the Annual Credit Report Request Form (40k PDF file*) (FTC web site) and mail it to:
• Annual Credit Report Request Service
• P.O. Box 105281
• Atlanta, GA 30348-5281

Please do not contact the three nationwide consumer reporting companies individually; they provide free annual credit reports only through the AnnualCreditReport.com service.

Support from Kroll
In addition, SAIC has contracted with Kroll to provide affected persons with information on credit, fraud and identify theft matters, including a free, one-year membership in Kroll Inc.'s IDTheftSmart™ identity restoration service.

The notification letter being sent by ID TheftSmart™ to identified adults or households contains the necessary authentication and specific contact information needed for access to ID TheftSmart™ services.

The Incident Response Center was established for use by those individuals identified and notified in writing by SAIC, in coordination with the government, about this incident. Individuals calling in for assistance will be asked to provide their ID TheftSmart™ member identification number as verification. The member identification number is contained in the ID TheftSmart™ notification letter being delivered by the U.S. Postal Service.

13. What should I do if I notice suspicious activity on my account?

Individuals who suspect they have become a victim of fraud or identity theft as a result of this incident should contact Kroll Inc., for assistance.

The notification letter being sent by ID TheftSmart™ to identified adults or households contains the necessary authentication and specific contact information needed for access to ID TheftSmart™ services.

The Incident Response Center was established for use by those individuals identified and notified in writing by SAIC, in coordination with the government, about this incident. Individuals calling in for assistance will be asked to provide their ID TheftSmart™ member identification number as verification. The member identification number is contained in the ID TheftSmart™ notification letter being delivered by the U.S. Postal Service.

*Note: PDF documents are viewed using Acrobat® Reader®.