Virus hits SRA International and leads to potential compromise
Technorati Tag: Security Breach
Date Reported:
1/20/09
Organization:
SRA International, Inc.
Contractor/Consultant/Branch:
None
Location:
Fairfax, Virginia*
*SRA International headquarters are in Fairfax, but this incident may be global
Victims:
Employees, former employees, and dependents of employees who may be enrolled in the SRA benefits program
Number Affected:
Unknown (1,397 Maryland residents mentioned)
Types of Data:
"personal information such as name, address, date of birth, health information and Social Security Number"
Breach Description:
"The SRA Information Technology Services (ITS) team recently discovered a virus on the SRA network that may have allowed the compromise of data."
Reference URL:
Maryland Attorney General
Report Credit:
The Maryland Attorney General
Response:
From the online source cited above:
The SRA Information Technology Services (ITS) team recently discovered a virus on the SRA network that may have allowed the compromise of data.
[Evan] For years virus infections and outbreaks have been the most costly information security threats for organizations large and small. In my opinion, this is still very much true in today's environments. Viruses and other malware have been around almost as long as computers have, and there are no signs to indicate that infections will subside.
We immediately launched an investigation into this incident and informed law enforcement and other U.S. governmental authorities.
Our investigation into the source of the virus and potential data compromise continues, and SRA's ITS team, supported by SRA cyber security experts, is swiftly implementing mitigation and remediation actions to eradicate the virus.
[Evan] There are literally thousands of ways for a virus to get into an enterprise. Tracing a source can often be hindered by containment efforts.
At this time, we have not determined that any personnel data has been compromised but we believe it is appropriate to notify all employees, former employees and consumers that personal information may have been subject to unauthorized access.
The personnel data maintained by the company includes personal information such as name, address, date of birth, health information and Social Security Number, including those of any dependents that are enrolled in SRA benefits programs, as well as personal information stored on a company computer (and which in select cases might include personal data reflected in security position questionnaires) for approximately on thousand three hundred ninety-seven (1,397) residents of the State of Maryland.
[Evan] Was there any indication of this infection affecting the systems used to store sensitive information, or has the company decided to consider all systems and information at risk? Is sensitive information storage and processing contained to a small number of isolated systems? If so, then you only need to notify people with information on those systems. I am guessing that this virus propagated throughout SRA's network and systems AND that sensitive information is available throughout the enterprise rather than on a small number of isolated systems.
As a precautionary measure to help detect any possible misuse of personal information, SRA is offering to its current employees the services of credit monitoring.
In addition, SRA has created a dedicated information page on the internal company Web portal.
[Evan] This doesn't help former employees or consumers that may be affected.
SRA takes the security of personal data very seriously and is committed to minimizing the risks associated with the exposure of personal information.
Security is of paramount importance to SRA, and there are numerous safeguards in place to protect information.
[Evan] Security should be "of paramount importance" to everyone!
SRA is implementing additional safeguards intended to prevent a similar incident from occurring in the future.
You should be aware that the information you are receiving today is company proprietary and should not be discussed externally.
[Evan] This "proprietary" information has already been disclosed externally ;) Why does SRA not want this information to reach the public? You can probably come up with this answer yourself.
Commentary:
As I stated earlier, the threats posed by viruses are not going away. The risks of unauthorized disclosure, modification, and destruction of sensitive information are real, but can be minimized through a mix or good information security practices. Technical controls might include (depending on your environment) patch management, ingress/egress filtering and management, network segmentation, anti-virus management, IDS/IPS management, Network Access Control,
etc. Administrative controls might include policy development and improvement, segregation of duties, and employee training and awareness. You get the picture. Information security doesn't fit into a nice, neat, little box, does it?
Past Breaches:
Unknown
Date Reported:1/20/09
Organization:
SRA International, Inc.
Contractor/Consultant/Branch:
None
Location:
Fairfax, Virginia*
*SRA International headquarters are in Fairfax, but this incident may be global
Victims:
Employees, former employees, and dependents of employees who may be enrolled in the SRA benefits program
Number Affected:
Unknown (1,397 Maryland residents mentioned)
Types of Data:
"personal information such as name, address, date of birth, health information and Social Security Number"
Breach Description:
"The SRA Information Technology Services (ITS) team recently discovered a virus on the SRA network that may have allowed the compromise of data."
Reference URL:
Maryland Attorney General
Report Credit:
The Maryland Attorney General
Response:
From the online source cited above:
The SRA Information Technology Services (ITS) team recently discovered a virus on the SRA network that may have allowed the compromise of data.
[Evan] For years virus infections and outbreaks have been the most costly information security threats for organizations large and small. In my opinion, this is still very much true in today's environments. Viruses and other malware have been around almost as long as computers have, and there are no signs to indicate that infections will subside.
We immediately launched an investigation into this incident and informed law enforcement and other U.S. governmental authorities.
Our investigation into the source of the virus and potential data compromise continues, and SRA's ITS team, supported by SRA cyber security experts, is swiftly implementing mitigation and remediation actions to eradicate the virus.
[Evan] There are literally thousands of ways for a virus to get into an enterprise. Tracing a source can often be hindered by containment efforts.
At this time, we have not determined that any personnel data has been compromised but we believe it is appropriate to notify all employees, former employees and consumers that personal information may have been subject to unauthorized access.
The personnel data maintained by the company includes personal information such as name, address, date of birth, health information and Social Security Number, including those of any dependents that are enrolled in SRA benefits programs, as well as personal information stored on a company computer (and which in select cases might include personal data reflected in security position questionnaires) for approximately on thousand three hundred ninety-seven (1,397) residents of the State of Maryland.
[Evan] Was there any indication of this infection affecting the systems used to store sensitive information, or has the company decided to consider all systems and information at risk? Is sensitive information storage and processing contained to a small number of isolated systems? If so, then you only need to notify people with information on those systems. I am guessing that this virus propagated throughout SRA's network and systems AND that sensitive information is available throughout the enterprise rather than on a small number of isolated systems.
As a precautionary measure to help detect any possible misuse of personal information, SRA is offering to its current employees the services of credit monitoring.
In addition, SRA has created a dedicated information page on the internal company Web portal.
[Evan] This doesn't help former employees or consumers that may be affected.
SRA takes the security of personal data very seriously and is committed to minimizing the risks associated with the exposure of personal information.
Security is of paramount importance to SRA, and there are numerous safeguards in place to protect information.
[Evan] Security should be "of paramount importance" to everyone!
SRA is implementing additional safeguards intended to prevent a similar incident from occurring in the future.
You should be aware that the information you are receiving today is company proprietary and should not be discussed externally.
[Evan] This "proprietary" information has already been disclosed externally ;) Why does SRA not want this information to reach the public? You can probably come up with this answer yourself.
Commentary:
As I stated earlier, the threats posed by viruses are not going away. The risks of unauthorized disclosure, modification, and destruction of sensitive information are real, but can be minimized through a mix or good information security practices. Technical controls might include (depending on your environment) patch management, ingress/egress filtering and management, network segmentation, anti-virus management, IDS/IPS management, Network Access Control,
Past Breaches:
Unknown
Posts Atom 1.0
Comments