Social security numbers and other personal information belonging to employees of the U.S. National Aeronautics and Space Administration (NASA) may have been stolen after at least one of the agency’s servers was breached.
In a message obtained by SpaceRef, NASA officials told employees that cybersecurity staff started investigating a possible breach of servers on October 23. An initial analysis revealed that social security numbers and other personally identifiable information (PII) stored on one server may have been compromised.
An investigation has been launched in an effort to determine “the scope of potential data exfiltration” and identify the individuals who may be impacted. However, NASA says this process “will take time.”
“The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any Agency missions were jeopardized by the cyber incidents,” said Bob Gibbs, assistant administrator at NASA’s Office of the Chief Human Capital Officer.
The incident impacts both past and present employees. NASA says they will be notified and offered identity protection services once they have been identified. For now, the agency says the breach may impact NASA Civil Service employees on-boarded, separated from the agency, or transferred between centers from July 2006 to October 2018.
“Our entire leadership team takes the protection of personal information very seriously. Information security remains a top priority for NASA. NASA is continuing its efforts to secure all servers, and is reviewing its processes and procedures to ensure that the latest security practices are being followed throughout the agency,” Gibbs said.
A report released in 2012 showed that NASA had suffered several breaches. Another incident that came to light in the same year involved a stolen NASA laptop that stored personal information. However, no other major security incidents have come to light since.
In 2012, Iranian hackers claimed they had used an SSL certificate issued to NASA’s Research and Education Support Services group for man-in-the-middle (MitM) attacks. In 2016, hacktivists claimed to have hacked NASA drones and stolen sensitive information from the space agency’s systems. However, in both cases NASA issued a denial – the claims were most likely false.