NASA has announced that they suffered a data breach in October that compromised the PII of current and former employees, including Social Security numbers. The agency is still unaware of the scope of the breach, but they are notifying all employees, so they can take countermeasures against possible fraud as a precaution. Previously, NASA has suffered similar security breaches in 2016 and 2011.
Experts Comments below:
Gaurav Banga, CEO and Founder at Balbix:
“NASA and other government agencies store massive amounts of highly sensitive data. As disastrous as it is for NASA to expose its employees’ personally identifiable information (PII), this breach indicates the agency needs to strengthen its current security measures to ensure all other data is secure and can’t be exploited for more sinister intentions. Furthermore, this is not the first time NASA has been hacked; in 2016 the agency had more than 250GB of data stolen including the information of 2,000 employees, flight logs, flight videos and most alarmingly, the hackers were able to alter the flight path of one of NASA’s Global Hawk drones before the ground crew were able to correct its path.
This security incident and NASA’s history of breaches shows once again that no entity, not even government organizations, are immune from the dangers posed by hackers, despite of substantial investments in traditional tools. Analyzing and improving enterprise security posture is no longer a human scale problem anymore. To best combat these threats, these agencies must implement security tools that use machine learning and automation to monitor their enormous attack surfaces and vast IT asset landscape to proactively identify and address security vulnerabilities to mitigate the risk of future breaches.”
Stephan Chenette, CTO and Co-founder at AttackIQ:
“This is not the first time we have seen NASA suffer a security breach. In 2011, the agency admitted to 13 separate major network breaches, and in 2016 we saw another major hack compromise NASA employee data, flight logs and videos, and the intruders were even able to alter the path of one of NASA’s drones. Now NASA’s current and former employees have had their personally identifiable information compromised, including Social Security numbers, exposing those affected to further instances of fraud and data leaks through other vectors.
Earlier this year, NASA received more than $20 billion for its fiscal year 2018 budget, its best budget since 2009. After multiple serious security incidents, the agency needs to reevaluate the funds and resources it is dedicating toward cybersecurity and adopt solutions that provide visibility into their cyber readiness on a continuous basis to ensure that its systems are operating as intended and defending the organization’s data. A more robust solution will give NASA’s executive team the confidence that their operations will not be interrupted by a security breach, thus saving time, money, intellectual property and more.”
Jacob Serpa, Product Marketing Manager at Bitglass:
“The scope of this breach is still unknown; however NASA has more than 17,000 employees (and more former employees) who may have been affected. While NASA confirmed that it was working with federal authorities to investigate the breach, waiting two months to notify employees is quite negligent – particularly in light of the fact that Social Security numbers were exposed. Obviously, the best case scenario is to avoid breaches altogether; however, if one does occur, proper steps must be taken to mitigate damage and communicate with affected stakeholders in a timely manner.
To prevent unauthorized access to sensitive data, organizations must adopt robust, flexible, and proactive cybersecurity platforms. These platforms must include identity and access management capabilities for verifying users’ identities, detecting potential intrusions, and enforcing step-up, multi-factor authentication in real time.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.