It was recently reiterated again what a bunch of amateurs work in FAA administration/information technology.
I (as well as many of my air traffic colleagues) admittedly have a great deal of intolerance for incompetence in FAA management and administration as air traffic controllers get zero leeway to make mistakes in their jobs.
And if air traffic controllers make mistakes while working the situation is scrutinized in great detail afterwards (Monday morning quarterbacking by office people or to quote a friend, “Use your best judgment; you’ll be second-guessed later), whereas other people in the same agency are allowed to routinely make grievous errors with little or no consequence. How nice for them…
It made the news that about a week ago someone in Turkey hacked into an FAA administrative server and made off with the names and social security numbers of some 45,000 FAA employees, as well as encrypted medical information for employees.
The story seems to have originated from union leaders of FAA employees rather than the FAA itself. Over 24 hours after the breach was announced I’ve still yet to be formally advised by my employer of the breach.
The FAA was quick to point out in its press release that the servers that were compromised weren’t air traffic computers; only administrative ones, as if it were a trivial matter to the 45,000 employees whose information was stolen.
The server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the FAA has no indication those systems have been compromised in any way.
Now history as shown that the hackers are usually more wily than the security guys and the way many security issues get discovered/highlighted and/or fixed is after a breach. So I normally wouldn’t have a problem with the breach if that was the only issue.
But there are two bigger problems I have with what happened.
First, and foremost, is anyone with even the most basic common sense could figure out that the best security is to keep confidential information off servers that could be breached.
I have no idea why the FAA had/has confidential employee information on servers accessible to the Internet to begin with! The FAA has its own (allegedly) secure intranet/network for such purposes, so what possible purpose would having personnel information accessible via the Internet serve?!
As it is an obvious security risk it seems inexcusable that this information was online to begin with.
And to top it off, apparently this data was there because the FAA was using it for testing!
From an email from the Acting FAA Administrator, Lynne Osmus:
Most of the 48 breached files were test files used for application
development. Two of these files contained names and social security numbers. One of them contained information on more than 45,000 employees and retirees who were on FAA rolls as of the first week of February 2006. Medical information from the hacked files was encrypted and not identifiable.
Now what moron uses real employee data for testing?! (Beside the FAA, I mean…) Would it have been that difficult to generate 45,000 fake social security numbers and names for testing?
Even though I view this as a egregious cluster-fuxk I’m sure nothing will come of this other than the potential problems for anyone whose information was stolen.
But I’m sure the FAA is really sorry, so that makes up for it, right?
Thanks a lot, FAA!