FAA suffers massive data breach; more than 45,000 affected

The Federal Aviation Administration has notified employees that one of its computers was hacked, and the personally identifiable information of more than 45,000 employees and retirees was stolen electronically. All affected employees will receive individual letters to notify them about the breach, the FAA said Feb. 9.

Two of the 48 files on the breached server contained personal information about employees and retirees who were on the FAA’s rolls as of the first week of February 2006, the FAA said in a statement.

In a letter to employees Feb. 9, Lynne Osmus, the acting FAA administrator, said that the agency’s Cyber Security Management Center was investigating unusual activity when it discovered an administrative server had been hacked.

Most of the 48 breached files were test files used for application development, but two of these files contained names and Social Security Numbers, she said. Medical information from the hacked files was encrypted and not identifiable.   

“We are moving swiftly to identify short-term and long-term measures — procedural and technological — to prevent such incidents from recurring.  All current and former employees who are affected will receive a letter shortly alerting them to this event,” Osmus said.

Among the measures that the FAA is taking is to post information in the form of frequently asked questions on the FAA’s employee and public Web sites, Osmus said. The agency also has notified employee union representatives and congressional committees with oversight over the agency, an FAA spokeswoman said. The FAA said it notified law enforcement authorities, and they are investigating the data theft.

The server that was illegally accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the agency has no indication that those systems have been compromised in any way, the FAA said.

Although FAA has not provided much information about the incident, Mike Rothman, senior vice president of strategy for eIQnetworks, said the FAA responded fairly quickly to the breach in narrowing down which device and files containing sensitive data were compromised.
 
“Their response shows they had a good response plan in place and they executed on it well,” he said. However, the FAA could improve its information security by having a “very monitoring-centric approach to understand what’s happening with your data,” Rothman said.
 
In January, the Office of Management and Budget named the FAA as one of four agencies to provide services to certify and accredit computer systems to assist other agencies to fulfill information security requirements under the Federal Information Security Management Act.