News Insights: Someone Hacked NASA

According to Casey Ellis, CTO, Bugcrowd, “Early reports indicate that the October breach of a NASA server only included personal information of current and former employees. While it appears critical mission data was not breached, employee data in the wrong hands could be just as dangerous. Adversaries could easily connect the exposed NASA data to exposed passwords of the NASA employees and attempt to hack into their work accounts to access sensitive data. This is yet another example of why cyber hygiene is imperative. Using a password manager, two-factor authorization and eliminating duplicate passwords are all key to optimizing security.

Like the OPM, Anthem, Dulles and Marriott breaches, the incident at NASA is just another in a long string of attacks targeting US officials. Think about it, officials from the NSA, CIA, FBI, DoD all mostly commute in and out of Dulles Airport, millions of people stay at Marriott/Starwood hotels, including possibly diplomats, business people or intelligence officials as they moved around the globe. Interestingly enough, the data stolen in the breaches haven’t been correlated to any type of identity theft, suggesting that nation state actors have other plans.”

Michael Magrath, Director, Global Regulations & Standards, OneSpan, commented,“Those affected by the NASA breach were likely impacted by the previous NASA breaches, the 2015 Office of Personnel Management breach that affected 21.5 million federal employees and contractors and if they transferred to DoD since onboarding with NASA they could have been victims of the DoD breach reported a few weeks ago.  An “agency breach trifecta.” Their personally identifiable information is already on the Dark Web, available for sale.  In addition to Christmas cards in their mailbox, NASA employees will receive their breach notification letter which will include the usual standard operating procedure of free credit monitoring.”

He added, “There have been discussions in Washington about implementing data protection regulations similar to the EU’s General Data Protection Regulation in the United States.  It is well past the time to better protect consumers and employees in cyberspace.  If the U.S. moves forward with GDPR-like regulations it is critical that any regulation implemented does not exclude the federal government and its employees and contractors.”