Hackers Succeed in NASA Mission, Lifting Thousands of Employee Records

mars nasa data breach

Twelve years’ worth of data has blasted off into the Dark Web.

NASA has become the latest victim of a breach, but it’s unlikely that sensitive space mission data was impacted.

In an internal memo sent to employees, NASA admitted that it was hacked by an unauthorized intruder in October, and that personally identifiable information for thousands of employees was compromised, including Social Security numbers.

The server in question was apparently an HR database. Those affected are NASA Civil Service employees who were hired or those who left, and those that received transfers. The amount of information exfiltrated is potentially significant. The compromised records are from July 2006 to October 2018, i.e. 12 years’ worth of data.

“NASA and its federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals,” NASA said in a website notice on Wednesday. “This process will take time.”

Further details are scant, but some noted the obvious irony of one of the most technologically advanced entities in the U.S. (if not the world) falling prey to a common hack.

“Tech to send mission to Mars but can’t stop Internet attacks. Amazing!” tweeted one. Others took up the theme as well.

“NASA is long considered by many to be the epitome of high-tech, so a breach here is a great example that even the best and brightest can fall prey to hacking,” said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT), in an email. “One of the most important things individuals can do to help avoid a breach is to be vigilant about password security and mindful of unsolicited links and attachments coming in over email and chat.”

However, given that federal cybersecurity is notoriously lagging, the incident is perhaps not a total surprise, especially since it could be related to other attacks.

“Those affected by the NASA breach were likely impacted by the previous NASA breaches, the 2015 Office of Personnel Management breach that affected 21.5 million federal employees and contractors, and, if they transferred to the Department of Defense since onboarding with NASA, they could have been victims of the DoD breach reported a few weeks ago,” said Michael Magrath, director, global regulations and standards, OneSpan, via email. “An ‘agency breach trifecta.'”

He added, “Their personally identifiable information is already on the Dark Web, available for sale.  In addition to Christmas cards in their mailbox, NASA employees will receive their breach notification letter which will include the usual standard operating procedure of free credit monitoring.”

Cover image courtesy of NASA/JPL.

Suggested articles

Discussion

  • Evan C on

    The business model for NASA only proves that NASA is not the most technically advanced by far. They are still using discardable modules that create waste. NASA is a job factory nothing more. They are simply a drain for money to get funneled into and sequestered for black budget projects. They are not even innovative. If they were, then why hasn't NASA updated its own website on the types of rockets being used since 2012. In the same time period that companies like SpaceX has made such significant strides. If NASA is innovative and the most advanced entity in the world please tell me how that happened.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.