[BreachExchange] NASA discloses data breach

Destry Winant destry at riskbasedsecurity.com
Wed Dec 19 09:23:41 EST 2018


https://www.zdnet.com/article/nasa-discloses-data-breach/

The US National Aeronautics and Space Administration (NASA) admitted
today to getting hacked earlier this year.

In an internal memo sent to all employees, the agency said that an
unknown intruder gained access to one of its servers storing the
personal data of current and former employees. Social Security numbers
were also compromised, NASA said.

The agency said it discovered the hack on October 23, almost two
months ago. It is unclear why the agency waited nearly two months to
notify employees, but it is common for US law enforcement to ask
hacked organizations to delay notifying affected victims while they
investigate an incident.

NASA confirmed it was working with federal cybersecurity partners "to
examine the servers to determine the scope of the potential data
exfiltration and identify potentially affected individuals."

The agency still doesn't know the scope of the breach and the number
of impacted employees. In its memo today, NASA said it was notifying
all employees so they could take countermeasures against possible
fraud, as a precaution.

"Those NASA Civil Service employees who were on-boarded, separated
from the agency, and/or transferred between Centers, from July 2006 to
October 2018, may have been affected," said Bob Gibbs, NASA Assistant
Administrator, in the memo.

"Once identified, NASA will provide specific follow-up information to
those employees, past and present, whose PII was affected, to include
offering identity protection services and related resources, as
appropriate," he said.

The agency said the investigation into the hack "will take time."

A NASA spokesperson did not immediately respond to ZDNet's request for comment.

NASA also said it didn't believe that any of its missions were
jeopardized by the hack.

The US space agency also suffered similar security breaches in 2011 and 2016.


More information about the BreachExchange mailing list