FAA Screws 45,000 Employees

Someone at the FAA neglected to secure one of their systems and allowed all of the personally identifiable information on 45,000 employees to leave the network.  Details are scant right now, but I don’t think this was a matter of a stolen or lost laptop, nor is it an insecure HR webserver that was penetrated through a simple SQL injection.  I think this was a trojan horse malware placed on an internal system, or maybe an old server sitting behind an outdated firewall rule.

The AP describes it here:

Hackers broke into the Federal Aviation Administration’s computer system last week, accessing the names and Social Security numbers of 45,000 employees and retirees.

The agency said in a statement Monday that two of the 48 files on the breached computer server contained personal information about employees and retirees who were on the FAA’s rolls as of the first week of February 2006.

The server that was accessed was not connected to the operation of the air traffic control system and there is no indication those systems have been compromised.

“The FAA is moving quickly to prevent any similar incidents and has identified immediate steps as well as longer-term measures to further protect personal information,” the statement said. The data theft has been reported to “law enforcement authorities,” who are investigating.

This is unusual in that the file accessed had data prior to February 2006.  This could mean several things, but most likely, this may be an old system that had been offline for a while and then improperly restored to the network.  The Federal government routinely recycles systems, and perhaps this was an old server that had been put back online after some maintenance without first wiping the old data from the drive.