FAA suffers massive data breach; more than 45,000 affected

The Federal Aviation Administration has notified employees that one of its computers was hacked, and the personally identifiable information of more than 45,000 employees and retirees was stolen electronically. All affected employees will receive individual letters to notify them about the breach, the FAA said Feb. 9.

Two of the 48 files on the breached server contained personal information about employees and retirees who were on the FAA’s rolls as of the first week of February 2006, the FAA said in a statement.

In a letter to employees Feb. 9, Lynne Osmus, the acting FAA administrator, said that the agency’s Cyber Security Management Center was investigating unusual activity when it discovered an administrative server had been hacked.

Most of the 48 breached files were test files used for application development, but two of these files contained names and Social Security Numbers, she said. Medical information from the hacked files was encrypted and not identifiable.   

“We are moving swiftly to identify short-term and long-term measures — procedural and technological — to prevent such incidents from recurring.  All current and former employees who are affected will receive a letter shortly alerting them to this event,” Osmus said.

Among the measures that the FAA is taking is to post information in the form of frequently asked questions on the FAA’s employee and public Web sites, Osmus said. The agency also has notified employee union representatives and congressional committees with oversight over the agency, an FAA spokeswoman said. The FAA said it notified law enforcement authorities, and they are investigating the data theft.

The server that was illegally accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the agency has no indication that those systems have been compromised in any way, the FAA said.

Although FAA has not provided much information about the incident, Mike Rothman, senior vice president of strategy for eIQnetworks, said the FAA responded fairly quickly to the breach in narrowing down which device and files containing sensitive data were compromised.
“Their response shows they had a good response plan in place and they executed on it well,” he said. However, the FAA could improve its information security by having a “very monitoring-centric approach to understand what’s happening with your data,” Rothman said.
In January, the Office of Management and Budget named the FAA as one of four agencies to provide services to certify and accredit computer systems to assist other agencies to fulfill information security requirements under the Federal Information Security Management Act.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

  • Cloud
    DOD cloud

    DOD's latest cloud moves leave plenty of questions

    Speculation is still swirling about the implications of the draft solicitation for JEDI -- and about why a separate agreement for cloud-migration services was scaled back so dramatically.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.