NASA breach shows there is something wrong with data rules

Two months ago, the US National Aeronautics and Space Administration (NASA) got hacked, yesterday it told employees. For just over eight weeks, employees were blissfully unaware they were the victim of cyber-crime.

In an internal memo sent to staff on December 18, the NASA management team informed employees servers containing personal information on current and former employees had been hacked on October 23. The agency still does not know the full extent of the breach, though personal information has been compromised, included social security numbers.

For those involved in the breach, nothing might happen. Or, the personal information stolen could be used for a number of different things including ruining credit scores or open credit card and bank accounts in the individuals name. In this instance, the effected individuals have not been able to do anything to protect themselves.

“Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within,” the memo states.

“NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any Agency missions were jeopardized by the cyber incidents.”

This is the issue with data protection and privacy laws at the moment. NASA may have wanted to inform employees and the world about the incident at the time, but they might not have. There are also rules in the US which dictate NASA could have been forced to keep quiet about the incident by law enforcement agencies during an investigation. While this might be the best way to catch the hackers, that will come as no comfort to those who are potentially impacted by the incident. They were left in the dark.

This is an example of government sacrificing the individual for the greater good. Authorities might be able to justify such actions by catching the hacker, thus making the world a slightly safer place for everyone else, but what compensation is that for the people who get hurt. This rule might fit into the bigger picture scenario of government, but if even one person has been ripped off because of this delayed information, NASA and the law enforcement agencies failed that person. For us, that is not good enough.

Perhaps there is a middle ground. The employees are informed but held under some sort of non-disclosure agreement. The individual can take action to protect themselves while simultaneously allowing the law enforcement agencies to act without fear the hacker will go underground.

More than anything else, this incident perhaps shows the inadequacies of rules and regulations today. The speed at which damage can be done in the digital world is startling, and people need to be as vigilant as possible. This means having all the available information to make informed decisions. This rule might have worked in a previous era, but it is outdated in today’s digital society. Let’s hope no-one feels the sharp end of the stick.