Credit Unions Should Worry About Another NASA Breach

In the world of hackers and fraud, anytime there is compromised personal information it potentially affects credit unions and members even if it centers around a government agency such as NASA.

So, when news of compromised information about current and former NASA employees hit there is cause for concern and lessons to learn.

It is the latest incident involving ongoing information security problems hounding the agency for years, Bob Gibbs, assistant administrator for the office of human capital management, announced in a Dec. 18 memo NASA employees, the agency was investigating a “possible compromise” of NASA servers first noticed in October. “NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals,” Gibbs said. Those servers stored personally identifiable information about NASA personnel, including Social Security numbers.

The extent of the data breach is murky, but it could affect both current NASA civil servants as well as those who joined or left the agency, or transferred between centers, as far back as July 2006. NASA had suffered similar security breaches in 2016 and 2011.

Gaurav Banga, CEO and founder of San Jose, Calif.-based Balbix, said “NASA and other government agencies store massive amounts of highly sensitive data. As disastrous as it is for NASA to expose its employees’ personally identifiable information, this breach indicates the agency needs to strengthen its current security measures to ensure all other data is secure and can’t be exploited for more sinister intentions.”

Banga noted to best combat these threats, these agencies must implement security tools that use machine learning and automation to monitor their enormous attack surfaces

Stephan Chenette, CTO and co-founder, San Diego’s AttackIQ explained in 2016 a major hack compromised NASA employee data, flight logs and videos, and the intruders were even able to alter the path of one of NASA’s drones. “After multiple serious security incidents, the agency needs to reevaluate the funds and resources it is dedicating toward cybersecurity and adopt solutions that provide visibility into their cyberreadiness on a continuous basis to ensure its systems are operating as intended and defending the organization’s data.” Chenette suggested a more robust solution would give NASA’s executive team confidence their operations will not be interrupted by a security breach, thus saving time, money, intellectual property and more.

“The scope of this breach is still unknown; however, NASA has more than 17,000 employees (and more former employees) who may have been affected. While NASA confirmed that it was working with federal authorities to investigate the breach, waiting two months to notify employees is quite negligent – particularly in light of the fact that Social Security numbers were exposed,” Jacob Serpa, product marketing manager, at Campbell, Calif.-based Bitglass, stated.

Serpa added obviously, the best-case scenario is to avoid breaches altogether; however, if one does occur, proper steps must be taken to mitigate damage and communicate with affected stakeholders in a timely manner. These platforms must include identity and access management capabilities for verifying users’ identities, detecting potential intrusions, and enforcing step-up, multi-factor authentication in real time.”

According to Anthony James, vice president/marketing, San Jose-based CipherCloud, “NASA is no stranger to cyberattacks of all types and has been the target of some rather famous attackers. Back in 2000, a 15-year-old hacker called ‘c0mrade’ caused a three-week shut down of NASA computers supporting the international space stations, got inside of a DOD weapons system to steal 3000+ emails, steal passwords, and more. Try as they can, NASA is still plagued by cyber threats and remains a U.S. federal government high profile target of choice for cyberthieves.”

These incidents are not isolated anymore and credit unions should stay alert.

Gene Fredriksen, chief information security strategist for St. Petersburg, Fla.-based CUSO PSCU, pointed out: “In my opinion, this is another example where investigators tend to look at each breach as a standalone incident. In actuality, we as an industry need to look at the whole profile of information that can be gleaned about an individual or company from multiple breaches.”

For instance, Fredriksen explained information that lists employees working at NASA, coupled with information from social media sites as well as financial breaches, could help criminals identify individuals who may be targets for extortion or financial inducements. “Imagine the personal profile that could be built on an individual with information breached from NASA, LinkedIn, Facebook, the Office of Personnel Management breach and Experian.”

Fredriksen warned, “We leverage data analytics to use information from many sources to gain insights into member trends and behaviors. Is there reason why we would not believe that criminals would also leverage data analytics to gain access to sensitive programs or information? We need to work in concert through information sharing to identify potential targets and opportunity that the cybercriminals may be planning.”