SRA Screws its Employees and its Fed Customers
Happy happy, joy, joy. I got my notification letter from a previous employer, SRA International. They said that there was a data breach, but they have no idea what data, or how much of it, may have been stolen by hackers. And since they are so clueless as to the extent of the data breach, they are notifying all of their federal customers that information relating to them may have been exposed as well. I am not sure which is worse- that they were so poorly unprotected defensively, or that they have no visibility into the mobility of their PII data.
From ComputerWorld here:
Employees at federal security agencies are being notified that their personal information may have been compromised after hackers planted a virus on computer networks of government contractor SRA International Inc.
SRA began notifying its employees and all of its customers after discovering the breach. The malicious software may have allowed hackers to get access to data maintained by SRA, including “employee names, addresses, Social Security numbers, dates of birth and health care provider information,” the Fairfax, Va.-based company said in a notification posted at the Maryland attorney general’s Web site.
The breach is embarrassing for SRA, a 6,600-employee technology consulting company that sells cybersecurity and privacy services to the federal government. The company wouldn’t say which federal agencies were affected by the breach, but in U.S. Securities and Exchange Commission filings, it lists intelligence agencies and the U.S. Department of Defense, the U.S. Department of Homeland Security and the U.S. National Guard among its clients.
SRA doesn’t know if any data has been compromised, but it’s taking the precaution of notifying customers that their data may have been accessed.
SRA also has a large contract with FDIC. From the description of the exposure, it sounds like employee health information was possibly accessed, which points to a breach in the HR department. If the breach was limited to just that internal group, no contract information with Federal branches should have been exposed, unless of course, the HR department could access the rest of the network at will.
I really can’t stand the empty platitudes that often accompany these admissions of data breaches. For instance, in my letter, SRA claims:
Sorry, but I don’t think SRA is really committed to the protection of personal data. If they were, they would have already had the safeguards in place that they are implementing now.
