Houston, we have a problem. Server breach at American agency sees data stolen from past and current staff
The American space agency NASA has warned its staff in an email that their personal details have been compromised in a data breach of two of its servers.
The data, said to belong to both past and present NASA employees, apparently includes social security numbers and other private information.
This is not the first time that NASA has been hacked. A group of hackers that called themselves “The Unknowns” claimed to have hacked into systems belonging to the European Space Agency (ESA), and NASA, as well as a number of military websites, back in early 2012.
NASA has not published any material about the hack on its website, as it is not required to under US law (unlike European law), but the internal email has been published by the SpaceRef news website.
The email stems from Bob Gibbs, assistant administrator, Office of the Chief Human Capital Officer at NASA.
The hack took place in late October, when “NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored.”
“Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within,” Gibbs email reads. “NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time.”
NASA said that no agency missions had been jeopardised by the hack.
“This message is being sent to all NASA employees for awareness, regardless of whether or not your information may have been compromised,” the email reads. “Those NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between Centers, from July 2006 to October 2018, may have been affected.”
“Our entire leadership team takes the protection of personal information very seriously,” it added. “Information security remains a top priority for NASA.”
Security experts have pointed out that NASA is one of the most tech advanced businesses in the world, but even it has been caught out, and that many businesses are making it too easy for hackers.
“This latest data leak just goes to show how technological progress has dangerously outstripped even basic data security practices,” said Irra Ariella Khi, CEO and co-founder of VChain Technology.
“NASA is probably one of the most technologically sophisticated organisations in the world – yet, when it comes to data privacy, even it has fallen down,” said Khi. “he data exposed is personal identifiable information, which Europe has been strict in enforcing protection under through GDPR.”
“It’s beyond time that as much resource was dedicated to securing data than it is to creating it,” said Khi. “The current methods for storing data are no longer fit for purpose and there needs to be a shift to privacy by design – where security is built in from the outset. Retroactively bolting on security to protect data is clearly failing, solutions need to be designed secure. Storing 12 years of personnel data period on one server is ill-considered, naive, and reckless. We’re making it easy for the hackers.”
Another expert pointed out that this is actually the third data breach at NASA since 2011.
“It’s common for it to take time to gather data, understand what’s happening and then take action and begin the healing process in cyber incidents,” said Sam Curry, chief security officer at Cybereason. “However, it takes time but only so much time; and this is the third breach of NASA since 2011. The first priority should be to limit harm and help the victims while also ensuring that the breach is remediated, but after that it’s time to go into the more painful mission phase and learn from the results.”
“Countermeasures are important, but we the public want to know that this government agency is learning from the past, we want the post mortem, we want the agency to get better because while PII and employee privacy are vital, there are many things at NASA in the national security domain and are of vital importance to the nation,” said Curry. “From a security perspective, we all hope that the third time is a charm and that there is no fourth.”
The delay in announcing the breach was also picked up by another expert.
“NASA’s delay in announcing a breach involving one of its servers highlights the importance and effectiveness of the GDPR,” said Simon Whitburn, SVP Cyber Security Services at Nominet. “If NASA was based in Europe, it would have been forced to disclose the breach within 72 hours.”
“This is particularly important when the data which has been accessed involves the personal details of staff members, and such a delay is unfair to those affected, as they won’t have a chance to alert the relevant authorities or make arrangements for replacement passwords for example,” said Whitburn.
“Businesses need to remember that criminals move quickly,” he added. “They extract data and very quickly either use it, or package it up and sell it on. Because of this rinse and repeat cycle, organisations around the world need to work much faster when it comes to disclosing data breaches.”
Meanwhile Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT), pointed to the importance of password security.
“NASA is long considered by many to be the epitome of high-tech so a breach here is a great example that even the best and brightest can fall prey to hacking,” said Young. “One of the most important things individuals can do to help avoid a breach is to be vigilant about password security and mindful of unsolicited links and attachments coming in over email and chat.”
Do you know all about security? Try our quiz!