Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 8th, 2009

Federal Aviation Authority Confirms 45,000 Employees Personal Records Stolen In A Breach

FAA officials had to admit that hackers breached one of the agency’s servers, stealing 48 files. Two of the files contained information on 45,000 current and former FAA employees, including sensitive information that could potentially make them vulnerable to identity theft.

The security breach, although significant and potentially far reaching, demonstrates the problems of securing federal computer systems and difficulty in evading every potential attack.

Most of the files that the hackers copied contained useless test data, according to FAA officials. It remains unclear if the server also coincidentally contained old sensitive data or if agency employees were using real information in a test environment. The compromised records were from 2006, according to FAA officials.

Patrick Forrey, president of the National Air Traffic Controllers Association, said he believes the hacked FAA server had been largely unused for a couple of years, and as a result, FAA “did not update the security protection software on it.” The attackers might have tried to penetrate several different servers before finding a vulnerable one, he said.

FAA’s Cyber Security Management Center discovered that agency’s break-in. Its personnel were investigating unusual activity in an administrative server when it became evident that hackers had broken through the defenses, said Lynne Osmus, acting FAA administrator, in a letter to employees dated Feb. 9.

FAA said it notified law enforcement authorities, and they are investigating the data theft.

FAA’s director of the Office of Information Systems Security and chief information officer did not respond to requests for comment.

Based on its timely response, FAA demonstrated that it has a response plan, but it could improve its information protection through better monitoring of security controls to understand what’s happening with their data, said Mike Rothman, senior vice president of strategy at eIQnetworks. “But it is difficult to prevent all unauthorized access,” he said.

The FAA incident is “just proof of the fact that we need to fundamentally look at the way we have architected our technology,” said Howard Schmidt, a former top cybersecurity adviser in the Bush White House and now president of the Information Security Forum. “When you start looking at organizations that really work hard and have really good people – I know the guys over there, they are really professional and they are really good – but yet to have something take place just shows how that no matter how secure you are you fundamentally still are at risk.”

FAA will provide free credit monitoring for a year through the Experian Triple Advantage program, said Laura Brown, an FAA spokeswoman. The agency has provided a toll-free number for employees and posted frequently asked questions on its employee Web site.

Security breaches have plagued the government for years, and reports suggest they are increasing even though agencies are taking steps to strengthen information security.


Share this item with others:

More on CyberInsecure:
  • Hackers Broke Into Federal Aviation Administration’s Computer System
  • US Government Agencies Travel Reservations Website Compromised By Hackers
  • Personal Records Stolen In Georgia Department
  • Personal Information Sent To An Analysis Firm Stolen From State Street Corporation
  • Massive Data Breach In Eastern Washington University, 130,000 Student Records Exposed

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Federal Aviation Authority Confirms 45,000 Employees Personal Records Stolen In A Breach

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.