James Thew - Fotolia

NASA data breach included employee Social Security numbers

Limited details leave questions surrounding a possible NASA data breach that could have compromised Social Security numbers for current and former employees.

NASA disclosed a security incident, but a lack of details leaves more questions than answers regarding what -- if anything -- occurred.

The potential NASA security breach was discovered on Oct. 23, and an investigation began. But the agency was careful to call the incident a "possible compromise" in an internal memo.

"After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other [personally identifiable information] data of current and former NASA employees may have been compromised," Bob Gibbs, assistant administrator in the Office of the Chief Human Capital Officer for NASA, wrote in the memo. "Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within. NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals."

The disclosure of the possible NASA data breach did not include any information regarding why the incident has been classified as a "possible compromise," when the incident might have occurred or how many current and former employees were included in the database.

NASA did not respond to requests for comment at the time of this post.

Jacob Serpa, product marketing manager at Bitglass, based in Campbell, Calif., noted that NASA currently has "more than 17,000 employees," plus former employees who may have been affected by the NASA data breach.

Waiting two months to notify employees is quite negligent -- particularly in light of the fact that Social Security numbers were exposed.
Jacob Serpaproduct marketing manager, Bitglass

"While NASA confirmed that it was working with federal authorities to investigate the breach, waiting two months to notify employees is quite negligent -- particularly in light of the fact that Social Security numbers were exposed," Serpa said. "Obviously, the best-case scenario is to avoid breaches altogether. However, if one does occur, proper steps must be taken to mitigate damage and communicate with affected stakeholders in a timely manner."

Experts also pointed out the troubling history of NASA data breaches and security failures, including the most recent Government Accountability Office report, which said NASA has exhibited "long-standing IT management weaknesses."

Stephan Chenette, CTO and co-founder for AttackIQ, based in San Diego, detailed previous incidents affecting NASA.

"In 2011, the agency admitted to 13 separate major network breaches. And in 2016, we saw another major hack compromise NASA employee data, flight logs and videos, and the intruders were even able to alter the path of one of NASA's drones," Chennette said. "Earlier this year, NASA received more than $20 billion for its fiscal year 2018 budget -- its best budget since 2009. After multiple serious security incidents, the agency needs to re-evaluate the funds and resources it is dedicating toward cybersecurity and adopt solutions that provide visibility into their cyber readiness on a continuous basis to ensure that its systems are operating as intended and defending the organization's data."

Dig Deeper on Security operations and management