NASA data leak exposes and compromises employee records

You would think that one of the most technologically advanced organizations in the world could avoid a cybersecurity breach. This is turning out to not be the case as NASA employees discovered this week when they were notified of a large data breach. In an internal memo sent out by NASA headquarters and written by Bob Gibbs, assistant administrator for the Office of Human Capital Management, employees were informed that personally identifiable data was exposed when a server tied to HR records was breached. The memo stated that classified mission data was not thought to be exposed, but the damage done is still significant. The most important data from the internal memo about the NASA data leak is quoted below:

On Oct. 23, 2018, NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored. After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised... those NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between Centers, from July 2006 to October 2018, may have been affected. Once identified, NASA will provide specific follow-up information to those employees, past and present, whose PII was affected, to include offering identity protection services and related resources, as appropriate. Our entire leadership team takes the protection of personal information very seriously. Information security remains a top priority for NASA.

The line about InfoSec being a top priority is laughable to anyone who knows NASA’s internal security practices. I have close ties to individuals at Jet Propulsion Laboratory, whose identities will remain anonymous to protect their jobs, and I can confidently state that NASA’s security protocols are a complete joke. Upper management especially makes poor decisions on a regular basis that compromise numerous facets of internal networks that carry sensitive data.

You don’t need to take my source’s word for it, however, as even the U.S. government has determined that NASA has a long way to go with regards to InfoSec. (And this NASA data leak was not the first time the agency’s security protocols have been shown to be insufficient.) In the latest Federal Information Security Modernization Act of 2014 (FISMA) - 2018 report, which determines government agencies’ compliance with a bill (FISMA) intended to improve cybersecurity practices, NASA performed poorly. The FISMA reports score on a letter grade system, and NASA received an “F” from the government making it among the worst in the entire U.S. government for InfoSec.

What this NASA data leak clearly shows is that the agency needs to get its act together.

Featured image: Wikimedia

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

How to repair PST files and import data back to Outlook or Office 365

If your business relies on Outlook, you can’t risk losing mailbox data because of PST files corruption. Here’s how to…

1 day ago

Container security rises to meet the challenges of container vulnerabilities

As container technology becomes ubiquitous, container security has become crucial. Here’s a look at some recent innovations in this growing…

2 days ago

Best of CES 2020: Products, innovations, and services

From flying Ubers to rolling robots, CES 2020 had it all — and then some. Here’s a look at some…

2 days ago

Hardening your technology infrastructure in preparation for a DDoS attack

By establishing these 11 appropriate controls beforehand, your organization will be better positioned to withstand and survive a DDoS attack.

3 days ago

Microsoft App-V as an application virtualization solution: Pros & cons

If your shop is considering using App-V as an application virtualization solution, read this article first and weigh the pros…

3 days ago

Ransomware threats: Cybercriminals take their wares to the next level

As companies and individuals harden their defenses against ransomware, hackers are creating new and more virulent ransomware threats.

3 days ago