FAA suffers massive data breach; more than 45,000 affected

The Federal Aviation Administration has notified employees that one of its computers was hacked, and the personally identifiable information of more than 45,000 employees and retirees was stolen electronically. All affected employees will receive individual letters to notify them about the breach, the FAA said Feb. 9.

Two of the 48 files on the breached server contained personal information about employees and retirees who were on the FAA’s rolls as of the first week of February 2006, the FAA said in a statement.

In a letter to employees Feb. 9, Lynne Osmus, the acting FAA administrator, said that the agency’s Cyber Security Management Center was investigating unusual activity when it discovered an administrative server had been hacked.

Most of the 48 breached files were test files used for application development, but two of these files contained names and Social Security Numbers, she said. Medical information from the hacked files was encrypted and not identifiable.   

“We are moving swiftly to identify short-term and long-term measures — procedural and technological — to prevent such incidents from recurring.  All current and former employees who are affected will receive a letter shortly alerting them to this event,” Osmus said.

Among the measures that the FAA is taking is to post information in the form of frequently asked questions on the FAA’s employee and public Web sites, Osmus said. The agency also has notified employee union representatives and congressional committees with oversight over the agency, an FAA spokeswoman said. The FAA said it notified law enforcement authorities, and they are investigating the data theft.

The server that was illegally accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the agency has no indication that those systems have been compromised in any way, the FAA said.

Although FAA has not provided much information about the incident, Mike Rothman, senior vice president of strategy for eIQnetworks, said the FAA responded fairly quickly to the breach in narrowing down which device and files containing sensitive data were compromised.
“Their response shows they had a good response plan in place and they executed on it well,” he said. However, the FAA could improve its information security by having a “very monitoring-centric approach to understand what’s happening with your data,” Rothman said.
In January, the Office of Management and Budget named the FAA as one of four agencies to provide services to certify and accredit computer systems to assist other agencies to fulfill information security requirements under the Federal Information Security Management Act.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Sun, Mar 1, 2009 Christine Sanchez Queens, NY

The FAA did issue letters to the 45,000 employees/retirees, dated February 18, 2009 (and received by me, an FAA retireee, on the 27th, via snail mail). They provided FAQ's, along with details to get a free year service from Experian. Unfortunately, I could not access the website they cited. The $25k Identity Theft insurance is NOT available to NY'ers! I'm wondering what the FAA is going to do for us. All of us are scared to death and sick about this whole fiasco - but it's par for the course for the FAA.

Wed, Feb 11, 2009 Tech Ops Person

They have posted NOTHING! No Q&As, no URLs, no phone numbers. Management has related no information beyond the basic, "we've been hacked". Folks should have already been told to, at a bare minimum, file a Fraud Alert with one of the three credit agencies. It can be done for free. Next, they should file a report with the FTC. Again, this can be done for free. They may wish to consider going to OptOutprescreen.com and opting out of the listings (to be a lower profile target for ID theft). The management has been negligent in it's response as far as actually taking care of people. They released the information after hours on Monday. The breach occurred last week!!! We should have been told as soon as they knew, so that we could be proactive in protecting our credit and our accounts. Didn't they learn ANYTHING from the VA's multiple breaches? Where was/is their mitigation protocol for the affected employees? Was the breached processor maintained by the FAA or by a contractor? If a contractor, who? Veterans just won a class action lawsuit against the VA for this exact thing. So far, the FAA management is performing very badly.

Wed, Feb 11, 2009 Steve

As a retireee I would like to know if and when my information would have been removed from th eFAA rolls? I retired in 2003 and from a ATC contractor in 2007.

Wed, Feb 11, 2009 St-Op-Pro

The FAA has always protected itself first vs it's employees. I quickly enrolled in LifeLock upon hearing the news... I suggest "ALL" current FAA employees consider the same. You CANNOT depend on FAA managment to do the "right" thing.

Wed, Feb 11, 2009 BOb

As an FAA employee, I concerned that a hacker has my Social Security number, medical information, and other sensitive information. Hopefully, this information will not be used to compromise my credit rating and banking and credit card information.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group