FAA suffers massive data breach; more than 45,000 affected

The Federal Aviation Administration has notified employees that one of its computers was hacked, and the personally identifiable information of more than 45,000 employees and retirees was stolen electronically. All affected employees will receive individual letters to notify them about the breach, the FAA said Feb. 9.

Two of the 48 files on the breached server contained personal information about employees and retirees who were on the FAA’s rolls as of the first week of February 2006, the FAA said in a statement.

In a letter to employees Feb. 9, Lynne Osmus, the acting FAA administrator, said that the agency’s Cyber Security Management Center was investigating unusual activity when it discovered an administrative server had been hacked.

Most of the 48 breached files were test files used for application development, but two of these files contained names and Social Security Numbers, she said. Medical information from the hacked files was encrypted and not identifiable.   

“We are moving swiftly to identify short-term and long-term measures — procedural and technological — to prevent such incidents from recurring.  All current and former employees who are affected will receive a letter shortly alerting them to this event,” Osmus said.

Among the measures that the FAA is taking is to post information in the form of frequently asked questions on the FAA’s employee and public Web sites, Osmus said. The agency also has notified employee union representatives and congressional committees with oversight over the agency, an FAA spokeswoman said. The FAA said it notified law enforcement authorities, and they are investigating the data theft.

The server that was illegally accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the agency has no indication that those systems have been compromised in any way, the FAA said.

Although FAA has not provided much information about the incident, Mike Rothman, senior vice president of strategy for eIQnetworks, said the FAA responded fairly quickly to the breach in narrowing down which device and files containing sensitive data were compromised.
 
“Their response shows they had a good response plan in place and they executed on it well,” he said. However, the FAA could improve its information security by having a “very monitoring-centric approach to understand what’s happening with your data,” Rothman said.
 
In January, the Office of Management and Budget named the FAA as one of four agencies to provide services to certify and accredit computer systems to assist other agencies to fulfill information security requirements under the Federal Information Security Management Act.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.