FAA Hack Prompts Search for Sensitive Data

By Roy Mark  |  Posted 2009-02-26

In the aftermath of a Feb. 10 hack at the Federal Aviation Administration that exposed more than 45,000 current and former FAA employees to potential identity theft, the agency plans to use a crawler-type application to inventory the FAA's sensitive data. Once the inventory is done, the FAA will determine what data contains sensitive information and take adequate steps to protect it.

Dave Bowen, the FAA's CIO, said at a TechAmerica (the former ITAA) event Feb. 24 that the hack forced agency officials to recognize that the agency could not account for where all its sensitive employee data was in the vast FAA infrastructure. According to the FAA, the attacked server was not connected to the operation of the air traffic control system or any other FAA operational system.

"We recognize that this is a problem, and we're taking steps to remediate it," said Bowen. "We are going to be looking aggressively across our entire infrastructure. This file was just sitting out there; it didn't really relate to a system."

Bowen said the hacked server was probably used for testing purposes some time in the past and had never been cleaned of sensitive data.

According to the FAA, two of the 48 files on the breached computer server contained personal information about who was on the FAA's rolls as of the first week of February 2006. All affected employees have received individual letters to notify them about the breach.

"The FAA is moving quickly to prevent any similar incidents and has identified immediate steps as well as longer-term measures to further protect personal information," the FAA stated after the breach. "The agency is also providing a toll-free number and information on the employee Web site for those who believe they may be affected by the breach."

Bowen said the hack remains under investigation.

The number of reported data breaches in the United States jumped nearly 50 percent in 2008, according to the ITRC (Identity Theft Resource Center). All totaled, there were 656 breaches reported in 2008, up from 446 in 2007. The breaches led to nearly 35.7 million records being exposed.

According to the ITRC, only 2.4 percent of all the data breaches had the information secured by encryption or other strong protection methods. Just 8.5 percent had the exposed data protected by passwords.

Rocket Fuel