A server containing personal information, including social security numbers, of current and former NASA workers may have been hacked, and its data stolen, it emerged today.
According to an internal memo circulated among staff on Tuesday, in mid-October the US space agency investigated whether or not two of its machines holding employee records had been compromised, and discovered one of them may have been infiltrated by miscreants.
It was further feared that this sensitive personal data had been siphoned from the hijacked server. The agency's top brass stressed no space missions were affected, and identity theft protection will be offered to all affected workers, past and present. The boffinry nerve-center's IT staff have since secured the servers, and are combing through other systems to ensure they are fully defended, we're told.
Anyone who joined, left, or transferred within the agency from July 2006 to October 2018 may have had their personal records swiped, according to NASA bosses. Right now, the agency employs roughly 17,300 people.
"Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within," the memo, issued by assistant administrator Bob Gibbs, stated.
"NASA and its federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any agency missions were jeopardized by the cyber incidents."
In a statement to The Register today, a spokesperson for NASA told us:
On Oct. 23, 2018, NASA cybersecurity personnel began investigating the potential compromise of two NASA servers. One of the servers contained personally identifiable information (PII) on current and past NASA employees and these data may have been exfiltrated. The agency will provide identity protection services to all potentially affected individuals.
NASA does not believe that any agency missions were jeopardized by the intrusions. Once discovered, NASA took immediate action to secure the impacted servers and has been working to perform a forensic analysis since then – this process will take time. The ongoing investigation is a top NASA priority.
NASA takes cybersecurity very seriously and is committed to devoting the necessary resources to ensure the security of agency information and IT systems. The agency is continuing its efforts to secure all servers, and is reviewing its processes and procedures to ensure the latest security practices are followed throughout the agency.
We've asked NASA while it took nearly two months to inform staff, despite it being a top priority, and what exactly may have been exfiltrated. "We cannot go into specifics about the data," a spokesperson told us, adding: "However, 2 CFR 200.79 defines PII as “…information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual." ®
Additional reporting by Richard Speed.
In other space news... President Donald Trump today instructed the Pentagon to form the US Space Command, which will pull in service personnel from all corners of Uncle Sam's armed forces. Space Command will be expected to take over space-related national security responsibilities previously held by the United States Strategic Command.
This is all part of the President's desire to set up a new branch of the military dubbed Space Force, which will counter any moves by Russia or China to jam or destroy American satellites or disrupt other US space operations.
Crucially, Trump may be unable to get the Democrat-controlled House of Reps to sign off on his Space Force dream, and so Space Command may be an attempt at establishing another route to setting up a standalone space-focused branch of the military. Space Command will be led by a four-star Senate-approved general or admiral, and more details on how exactly it will play out will be revealed within the next few weeks, according to Vice President Mike Pence.