Government contractor warns of possible breach

We talk a lot at Betanews about weak security at certain government agencies (hello, IRS!), but let's not forget that federal employees can suffer too when defenses are breached at an agency or contractor -- for instance, at Virginia-based SRA International, which handles IT consulting and services for various defense, military and civil agencies.

SRA is required by law to inform potentially affected agencies when they've been hit, and on January 20, the company sent a fax to the Maryland Attorney General's office letting them know that malware -- something that can scarf up personally identifiable information, something that slipped by SRA's antivirus protections -- was recently discovered on SRA's network.

The company says that it's working with law enforcement to figure out what happened, but they haven't yet seen proof that any data was actually breached let alone abused. The company keeps the usual personnel data -- name, address, date of birth, Social Security number -- and in some employees' cases would also have health information (including that of employee dependents covered by the employee's insurance) and/or more revealing information of the sort one gives when applying for security-sensitive positions.

It's not yet known who deposited the malware, but SRA says it has "no indication" that it was put on the system by an employee. (Virus shown above probably no relation, but it looked suitably fierce on Wikimedia Commons.)

The company (which, by the way, is #100 on Fortune's list of 100 Best Companies To Work For, and has remained listed for a decade despite a publicized breach in mid-2007) declines to identify its antivirus vendor, but says that that firm has been notified and has updated its definition files.