SRA International notified the Maryland Attorney General’s Office on January 20 that it had recently detected a virus on its network that may have allowed compromise of data. As of the date of the report, SRA’s security experts were reportedly still in the process of trying to eradicate the virus.
Because the security experts could not determine whether data had been compromised, the company decided to notify all current and former employees, customers, and dependents of employees who were enrolled in a health benefits program. The personal data at risk included name, address, date of birth, social security number and health information, as well as “personal information stored on a company computer (and which in select cases might include personal data reflected in security position questionnaires.)” SRA was notifying 1,397 Maryland residents of the incident; the total number was not provided. SRA International, which counts defense and military service organizations among its national security service clients, reports that it has 6,600 employees worldwide.
The company set up a web page on the incident on their portal site and established a dedicated email address for those affected to use if they had questions. In his notification to employees, Stan Sloane, President & CEO offered them free credit monitoring services, but also instructed them not to discuss the incident outside of the company.
No copy of the notification to customers was attached to the filed report.