FAA suffers massive data breach; more than 45,000 affected

The Federal Aviation Administration has notified employees that one of its computers was hacked, and the personally identifiable information of more than 45,000 employees and retirees was stolen electronically. All affected employees will receive individual letters to notify them about the breach, the FAA said Feb. 9.

Two of the 48 files on the breached server contained personal information about employees and retirees who were on the FAA’s rolls as of the first week of February 2006, the FAA said in a statement.

In a letter to employees Feb. 9, Lynne Osmus, the acting FAA administrator, said that the agency’s Cyber Security Management Center was investigating unusual activity when it discovered an administrative server had been hacked.

Most of the 48 breached files were test files used for application development, but two of these files contained names and Social Security Numbers, she said. Medical information from the hacked files was encrypted and not identifiable.   

“We are moving swiftly to identify short-term and long-term measures — procedural and technological — to prevent such incidents from recurring.  All current and former employees who are affected will receive a letter shortly alerting them to this event,” Osmus said.

Among the measures that the FAA is taking is to post information in the form of frequently asked questions on the FAA’s employee and public Web sites, Osmus said. The agency also has notified employee union representatives and congressional committees with oversight over the agency, an FAA spokeswoman said. The FAA said it notified law enforcement authorities, and they are investigating the data theft.

The server that was illegally accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the agency has no indication that those systems have been compromised in any way, the FAA said.

Although FAA has not provided much information about the incident, Mike Rothman, senior vice president of strategy for eIQnetworks, said the FAA responded fairly quickly to the breach in narrowing down which device and files containing sensitive data were compromised.
 
“Their response shows they had a good response plan in place and they executed on it well,” he said. However, the FAA could improve its information security by having a “very monitoring-centric approach to understand what’s happening with your data,” Rothman said.
 
In January, the Office of Management and Budget named the FAA as one of four agencies to provide services to certify and accredit computer systems to assist other agencies to fulfill information security requirements under the Federal Information Security Management Act.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Sun, Mar 1, 2009 Christine Sanchez Queens, NY

The FAA did issue letters to the 45,000 employees/retirees, dated February 18, 2009 (and received by me, an FAA retireee, on the 27th, via snail mail). They provided FAQ's, along with details to get a free year service from Experian. Unfortunately, I could not access the website they cited. The $25k Identity Theft insurance is NOT available to NY'ers! I'm wondering what the FAA is going to do for us. All of us are scared to death and sick about this whole fiasco - but it's par for the course for the FAA.

Wed, Feb 11, 2009 Tech Ops Person

They have posted NOTHING! No Q&As, no URLs, no phone numbers. Management has related no information beyond the basic, "we've been hacked". Folks should have already been told to, at a bare minimum, file a Fraud Alert with one of the three credit agencies. It can be done for free. Next, they should file a report with the FTC. Again, this can be done for free. They may wish to consider going to OptOutprescreen.com and opting out of the listings (to be a lower profile target for ID theft). The management has been negligent in it's response as far as actually taking care of people. They released the information after hours on Monday. The breach occurred last week!!! We should have been told as soon as they knew, so that we could be proactive in protecting our credit and our accounts. Didn't they learn ANYTHING from the VA's multiple breaches? Where was/is their mitigation protocol for the affected employees? Was the breached processor maintained by the FAA or by a contractor? If a contractor, who? Veterans just won a class action lawsuit against the VA for this exact thing. So far, the FAA management is performing very badly.

Wed, Feb 11, 2009 Steve

As a retireee I would like to know if and when my information would have been removed from th eFAA rolls? I retired in 2003 and from a ATC contractor in 2007.

Wed, Feb 11, 2009 St-Op-Pro

The FAA has always protected itself first vs it's employees. I quickly enrolled in LifeLock upon hearing the news... I suggest "ALL" current FAA employees consider the same. You CANNOT depend on FAA managment to do the "right" thing.

Wed, Feb 11, 2009 BOb

As an FAA employee, I concerned that a hacker has my Social Security number, medical information, and other sensitive information. Hopefully, this information will not be used to compromise my credit rating and banking and credit card information.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above