Author Archives: Nandita Jha

Indian state-owned gas agency leaked 6 million Aadhaar Numbers






An ethical French hacker claims to have found a vulnerability on the Indian state-owned gas agency's website, Indane, which has exposed nearly 6 million Aadhaar numbers of dealers, customers and distributors.

 Elliot Alderson wrote a blog post on 18 February, in which he detailed how he got alerted about a vulnerability on a web portal meant for local dealers through a  private message. The exposed data includes names, Aadhaar numbers and addresses of the customers.

The cyber security researcher looked at an Android app of the Indane, and there he found  “Locate Your Distributor” feature, and this option let you find the ids of the dealers of the corresponding “bgadistrict”. With the dichotomy method he was able to easily find out the ids of all the dealers in 714 bgadistrict.

"Great, time to code! We have everything we need to get the size of this leak. Thanks to the endpoint found in the Android app, we will obtain all the valid dealer ids and then we will scrape all the “Total records” in the local dealer portal," Alderson wrote.

He  wrote a python script, and then executed the script, which fetched him  11062 valid dealer ids.  "After more than 1 day, my script tested 9490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak."

Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200," Alderson further added.


However, Indane has refused to acknowledge the data leak, meanwhile Anderson has snapped back with a meme at the gas agency. UIDAI did not respond to the data leak reports.

Meet an Indian hacker who want to revolutionize cyber-security


A security researcher has found a vulnerability in IRCTC website, but the bug was fixed in no time.

The bug was found in the website, it affected the password reset option. When a user type their user id, it automatically sends an OTP to the registered mobile number of the account holder. Though CAPTCHA is there to prevent the brute-forcing of the OTP's, but this time it allowed the reuse of the CAPTCHAs for unlimited requests.

The researcher,  Ronnie T Baby, a third year engineering student, exploited the bug through   brute-force the OTP, once he logged in, he could easily view all the personal details of the account holders like address, booked tickets etc.

 "I found that I could easily cancel any booked tickets. Imagine someone going to their hometown for vacation, and getting a message ,"Your ticket has been cancelled!". What a let down to your cozy travel ?!"

He claimed to have forwarded the vulnerability to cert-in, and the officials reported it to the technical team of IRCTC.

This is not the first time that he found a vulnerability, in his previous attempts he has been awarded $3000 from Google,  Microsoft, Oracle etc.

In an email interview with Ehackingnews he said, " Indian programmers is not up-to the mark- they lack security knowledge." He got interested in cyber security at an early age and was always fancied the term "hacking", but his dream came only after joining Engineering college where he got free internet access.

"One day, I  went away from the hustle and bustle of daily college routine, sat in a empty class, took out a sheet of paper and wrote all the things I am good at. One thing I realized that, being an introvert I observed the world around very deeply. I liked walking through paths rarely crossed by others. I usually did opposite to what the crowd does! I came to a conclusion that, cyber security was the apt field for a guy like me. Other fancy words which are still booming now include machine learning, data science etc. For me, security was everything and that is what I started thinking about day and night," he further added.

He has an advice to all those people who doesn't know how to begin in any field. "Google is your best friend. I never needed anyone's help in anything. We have such a  huge population, I will argue that, any query you had in your life; the same doubt would have crept to someone else's mind sitting in the other end of the world. So open your eyes, and start searching for solutions and self learning, instead of "How I hack ? " Yes, for guidance, it is always recommended to be in touch with the Pro's and able people of any particular field."


Parenting website Mumsnet hit by data breach after glitch in software





A London-based parenting advice website Mumsnet has been hit by a data breach that allowed thousands of its users to see other's account personal information.

The company posted a notice on its website, it said the problem was first detected at  2pm on   5 February and the second time at 9am on 7 February. They have reported the matter to the UK's data protection authority, the Information Commissioner’s Office.

“During this time, any two users logging into their accounts at precisely the same time may have had their account info switched”, it said.

According to the company's website, around 46 users data were breached, but there was no record of password breach.

"You've every right to expect your Mumsnet account to be secure and private," wrote Ms. Justine Roberts, Mumsnet founder. "We are working urgently to discover exactly how this breach happened and to learn and improve our processes."

The data breach includes email addresses, account details, posting history, and personal message.

The breach was a result of a technical fault in the software. The company has now reversed the software update and has forced every user to again sign into their accounts in order to stop users lurking in someone's else account.

"We are working urgently to discover exactly how this breach happened and to learn and improve our processes," Ms. Roberts said.

Apple warns app developers over screen recording





Apple has given an ultimatum to all its app developers who secretly record the screens of the customers, to quit snooping or get kicked off the Apple store.

The company has taken this decision after TechCrunch reported about the apps like  Expedia, Hollister, and Hotels.com who are using third-party analytics software to record a user's taps and swipes on the screen.

The report also mentioned that none of the apps had prior explicit permission from the users to record screen activity or disclose that their apps use such software.

According to the report, most of these apps are using an analytics tool called Glassbox, which is also known as "session replaying,"  it records all the user's activity and they let snoopers replay how a user interacted with the apps. The tool is completely a violation of Apple's privacy policies.

In a statement, Apple said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store review guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging or otherwise making a record of user activity. We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary.”

However reacting to the claims,  Glassbox has said that they are not interested in 'spying' on customers, but their goal is to improve the online experiences.

“Since its inception, Glassbox has helped organizations improve millions of customer experiences by providing tools that record and analyze user activity on websites and apps. This information helps companies better understand how consumers are using their services, and where and why they are struggling. We are strong supporters of user privacy and security. Glassbox provides its customers with the tools to mask every element of personal data. We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded — just as contact centres inform users that their calls are being recorded.”

Amazon, Microsoft calls for Regulation on Face Recognition




Amazon is batting in favor of regulating and legislating the use of facial recognition technology and has written a  long, detailed blog post detailing its stand on the issue.

In the blog post written by the Vice-President of Global Public Policy at Amazon Web Services (AWS),  Michael Punke, the company revealed its "proposed guidelines" for the use of the technology by the companies, so that it cannot be used to discriminate. 

Punke wrote that the company “supports the creation of a national legislative framework covering facial recognition through video and photographic monitoring on public or commercial premises.”

Amazon has faced criticism after tests by civil rights groups and ACLU found out that Amazon's face Rekognition functions are less accurate for black people. In January, two researchers reported an Amazon Web  Services that determine the gender of the people in photos is also less accurate in the case of black women. 

However, Amazon refuted the claims of the studies saying that the Rekognition was “not used properly"  by the researchers.
Amazon wants legislation “that protects individual civil rights and ensures that governments are transparent in their use of facial recognition technology,” Punke wrote. 
The blog post is seen as the move to counter the facial recognition backlash.

Spotify to block account of users using ad blockers





The online music streaming platform, Spotify to terminate the accounts of users who use ad blockers - the company has updated its terms of service which will come into effect from March 1st.

According to the updated terms of service, “Circumventing or blocking advertisements in the Spotify Service, or creating or distributing tools designed to block advertisements in the Spotify Service,” is prohibited, the user guidelines read. Spotify also notes that breaking that rule or any other guideline “may result in immediate termination or suspension of your Spotify account.”

The company decided to change its terms of service after millions of its users were blocking advertisements by using ad blockers or were downloading modded versions of the app. They have sent a detailed email to notify every user about the new update.

Spotify has two versions- free and premium.

The user has to pay $9.99 per month for premium service, in which they have unlimited access to music without any ads, while in a free version, a user can listen on-demand to 15 popular playlists that are curated using an algorithm to match the user's taste.

Germany restricts Facebook’s data sharing practices




Germany has announced a far-reaching restriction on Facebook's over its data collection practices about users without their consent across its own platforms, like Instagram and WhatsApp, and related third-party sites.
The ruling came after an investigation for three years, and it restricts the social media giant from collecting the data even from external websites which has a button for Facebook like.   
"In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook accounts," Federal Cartel Office chief Andreas Mundt said in the landmark order on Thursday.
Facebook has  one month time to appeal against the ruling, and as per the sources the company has vowed to challenge the decision, saying "it had been unfairly singled out and accusing German officials of 'underestimating' the competition they faced."
The country's anti-trust regulator said that the terms and conditions of Facebook have forced users to accept its policy of collecting the data from multiple websites. 
The ruling allows Facebook to collect data from its owned services like WhatsApp and Instagram, but users will have to give their consent.  
If users do not agree to the terms and conditions, then the data 'must remain with the respective service and cannot be processed in combination with Facebook data,' they said. 
'The previous practice of combining all data in a Facebook user account, practically without any restriction, will now be subject to the voluntary consent given by the users,' says Mundt. 
However,  Facebook has slammed the ruling, saying "We face fierce competition in Germany, yet the [regulator] finds it irrelevant that our apps compete directly with YouTube, Snapchat, Twitter and others.
'As part of complying with the GDPR, we revamped the information we provide people about their privacy and the controls they have over their information. 
'Using information across services helps to make them better and protect people’s safety.

Bye Google Plus! Download all your data before April 2





Google has confirmed that they will finally shut down its social networking site, Google Plus on  April 2, 2019, after discovering a security flaw which compromised the personal data of more than  52.5 million users.

The company has stated  "other challenges" likes low usage and high maintenance cost that forced the tech giant to take such a huge step.


 It will allow all users to download their data from the networking site like videos and photos before they start deleting content from the user's accounts. The users will not be able to create new Google+ profile or other new pages on the website from February 4.

“The process of deleting content from consumer Google+ accounts, Google+ Pages, and Album Archive will take a few months, and content may remain through this time. For example, users may still see parts of their Google+ account via activity log and some consumer Google+ content may remain visible to G Suite users until consumer Google+ is deleted,” Google+ said in its support page.

The company has advised all its users to download and save all their photos and videos before April 2. However, the photos and videos in Google Photos won't be deleted.

The data for Google+ community owners and moderators would be available to download from an early week of March.

Here are the steps how you can download all your data safely:
1) Log in to your Google Plus Account, Click on to the option ‘Download Your Data’ page.
2) Click Select specific data, and untick the data that you don't want to download.
3) And then click OK.
5)Select the type of file, and delivery method of the archieved data.
6) Click on create archieve 

WhatsApp enables Face ID or Touch ID for iOS users








WhatsApp has launched a new update for its iOS app that supports biometric authentication, which allows users to 'lock' the app with Touch ID or Face ID.

The feature is available from today for  WhatsApp iOS version 2.19.20, every iOS user can update their app and use it.  After updating your app from the Apple App Store, then go to  “Settings” –> “Account” –> “Privacy” and switch “Screen Lock” on.

It does not work for single chats, but if you enable this, but would definitely add an extra layer of security to your private WhatsApp chats. Once you enable this feature, it will require you to log in through using your Touch ID or Face ID every time you want to access the app.




If there is a failure in authentication of the user's biometric data, then they can unlock their app using a passcode.

The company is working on a similar feature for its Android app as well. While, its fingerprint authentication feature, is in its alpha development stage. It is reported that the feature will work on smartphones with a fingerprint sensor running Android 6.0 Marshmallow or above.

Karma, a iPhone spy tool by UAE government

  
A team of former U.S government intelligence agency has recently developed a spy tool known as “Karma” that allowed the United Arab Emirates government to remotely hack the iPhones of activists, diplomats and Foreign leaders that can retrieve photos, emails, text messages and location data from the iPhones of the user.

The tool cool is activated by simply loading the phone number or the email of the intended target, the target need not click on any link. Most of the spy tools work by fooling users to click on malicious link hence gathering their device’s sensitive information.

According to the Reuters report, through the spy tool, UAE government was able to access emails, text messages, photos, location, passwords of the users which can be used further for other attacks. They said “A team of former U.S. government intelligence operatives working for the United Arab Emirates hacked into the iPhones of activists, diplomats and rival foreign leaders with the help of a sophisticated spying tool called Karma […]

The […] operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone”

There was no specific information available on how this tool worked but it was iPhone-specific and the UAE government paid to develop Karma to the agency.

According to the Reuters report, Karma was more effective in 2016 and 2017. “It isn’t clear whether the Karma hack remains in use. The former operatives said that by the end of 2017, security updates to Apple Inc’s iPhone software had made Karma far less effective”, it further added “Tools like Karma, which can exploit hundreds of iPhones simultaneously, capturing their location data, photos, and messages, are particularly sought-after, veterans of cyberwarfare say. Only about 10 nations, such as Russia, China, and the United States and its closest allies, are thought to be capable of developing such weapons, said Michael Daniel, a former White House cybersecurity czar under President Obama.”

Both UAE government and Apple refused to comment.

Google services down for some users in Europe and India





A number of Google services, including massively popular email service Gmail were down for
some of the users. Google confirmed about the affected services on their website.

Various Google services have been down since 5:20 PM IST. The affected sites include Gmail, Google Calendar, Google Drive, Google Docs, Sheets, Slides, Google Groups, Hangouts, Hangouts Chat, Hangouts Meet, Google Vault, Google+, and Google Forms. The affected users were receiving the 404 pages not found the error code. For most of the users, the services were restored by 5:47 PM.

Services were restored at 6:09 PM IST, Google says “ The problem with Gmail should be resolved. We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google and we are making continuous improvements to make our systems better.”

The exact geographical details for the disruption is not available but it was noted that the affected areas were Europe and India. The first report of the disrupted Google services first came at around 5:00 PM and it was confirmed on the G Suite Service Dashboard by Google itself.

Google wrote for Gmail in the dashboard, “We are aware of a problem with Gmail affecting a significant subset of users. The affected users are unable to access Gmail.

We will provide an update by 1/29/19, 6:20 PM detailing when we expect to resolve the problem. Please note that this resolution time is an estimate and may change. Users are getting 404s when signing-in,” The company has not given exact time frame by when all the services will be restored.

High-end cars vulnerable to hacking through wireless transmitters



Several High-end cars that use no key system to unlock were found to be extremely vulnerable to hacking using simple wireless transmitters.  German General Automobile Club (ADAC) tested the vulnerability on 237 models key-less entry models, finding that 230 of them could be easily hacked within a few minutes making almost 99% of the key-less modern cars susceptible to the theft.

The technology is known as “ Relay Attack “ that is helping hackers to unlock the keyless car locking systems. In this attack wireless devices are used to bounce the signals from the key further from than they would normally reach.  When the car picks up the wireless signal transmitted by the wireless transmitter or the relay, it is then possible to unlock the car and drive it away. So the owner of such cars is advised to keep their keys out of sight and reach of thieves or keep them in the metal boxes so that signals can’t escape. Another advice is to use a steering wheel lock system.

Several models from major manufacturers have been found to be affected that includes
Audi, BMW, Chevrolet, Fiat, Ford, Honda, Hyundai, Jeep, Jaguar, Land Rover, Fiat, Mercedez, Tesla, Toyota, Volkswagen, Skoda, Renault, Nissan, Suzuki, Opel, Mitsubishi and many more. The only cars that were not affected by the attack were newest models of the Land Rover Discovery, Land Rover Range Rover and the Jaguar i-Pace. These cars use keyless fobs with ultra-wide-band technology which is more complicated in determining the distance of the fob from the vehicle, meaning the car's unlocking system can't be easily fooled.

Volkswagen group that owns Audi, Skoda and VW said that they take car security seriously and are trying ways to improve the locking system. Other car manufacturers including Hyundai,  Ford, Nissan, Kia, Volvo, and PSA group which includes Citroen, Peugeot and Vauxhall too said they are working to make car security better.

Hyundai declined to comment on the attack and several others pointed that the cars being stolen through Relay Attacks are low; while Mercedes and BMW said that they had introduced motion sensors for their security in which if the fob is not moving while trying to open the car, the car will not be unlocked.




Over 95000 data violation cases in EU


The European Commission on Friday said that eight months after the adoption of a landmark EU privacy law, More than 95000 complaints have been received by Europe's data protection regulators regarding data breaches.

Privacy enforcers have received new powers from the General Data Protection Regulation(GDPR) that enables them to impose fines of up to 4% of company's global revenue or EUR 20 million($23 million), whichever is higher.

Google, an Alphabet owned unit was fined 50 million EUR by French data protection regulator for failing to obtain the user's consent for personalized ads, which falls under the largest sanction under GDPR new regulations.


Private regulators have opened 225 investigation cases till date and the majority of the complaints focused on telemarketing, promotional emails and video surveillance by closed-circuit televisions and more penalties could come in the way as European Union is becoming more aware of their privacy rights.

In a joint statement made by  EU digital chief Andrus Ansip, European Commission Vice President Frans Timmermans, EU justice chief Vera Jourova and EU digital economy commissioner Mariya Gabriel,  said "What is at stake is not only the protection of our privacy, but also the protection of our democracies and ensuring the sustainability of our data-driven economies,"



Amazon, Apple, Spotify, Google failed to comply with GDPR






Online entertainment streaming websites like Apple, Amazon, Spotify, Google, and eight other tech giants have been accused of failing to comply with the European Union's General Data Protection Regulation (GDPR).

European Union's data regulation law give customers the right to access a copy of the personal data that companies hold about them.

A data privacy activist Max Schrems and director at Noyb, requested them about his private data, however companies let people download a copy of their data, but some of the data was "intelligible and difficult to understand by people.

"No service fully complied," Noyb said in its statement.

The Austrian watchdog Noyb filed complaints against the tech giants with the Austrian authority on behalf of ten users.

 Schrems said: "In most cases, users only got the raw data, but, for example, no information about who this data was shared with.

"This leads to structural violations of users' rights, as these systems are built to withhold the relevant information."

The companies could be fined up to 20 million euros (£17.7m) or 4% of a company's global turnover as per the GDPR.

However, Spotify released a statement stating: "Spotify takes data privacy and our obligations to users extremely seriously. We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant."

Tesla announce big bounty contest of $900,000 for hackers




Tesla cars have opened up its software and devices for a high-profile hacking contest that is being organized by Pwn2Own in Vancouver. The winner will get a Tesla Model 3, and there are other prizes of more than $900,000 worth.

The biggest prize of $250,000 will be awarded to one who will hack an execute code on the car's gateway, autopilot, or Vehicle Controller Secondary (VCSEC). Gateway inside a car is responsible for the powertrain, chassis, and other components, while the autopilot is a driver assistant feature that is to help a driver in control lane changing, parking, and other driving functions, and VCSEC is for security functions.

“Tesla essentially pioneered the concept of the connected car with their Model 3 sedan, and in partnership with Tesla, we hope to encourage even more security research into connected vehicles as the category continues to expand,” the Zero Day Initiative said in its blog on the contest.

The hacking attack would be carried on a Model S mid-range rear wheel drive vehicle, and the target areas are:
·       Modem or tuner for $100,000
·       Wi-Fi or Bluethooth for $60,000
·       Three infotainment system targets for a total of $205,000
·       Gateway, autopilot or VCSEC for $250,000
·       Autopilot DoS for $50,000
·       Key FOB or phone-as-key for $100,000

A security researcher at Trend Micro said that "Since 2007, Pwn2Own has become an industry-leading contest that encourages new areas of vulnerability research on today's most critical platforms."

"Over the years we have added new targets and categories to direct research efforts toward areas of growing concern for businesses and consumers."

 Tesla is the only car manufacturer who has openly participating in a hacking contest.

FBI investigation records, and other confidential files exposed in Oklahoma Government data leak



Security researchers have disclosed an open server at the Oklahoma Securities Commission that has a huge trove of data containing confidential government files and documents related to FBI investigation. 

The Oklahoma Department of Securities (ODS) has acknowledged the breach after a  Silicon Valley-based security firm, UpGuard's, security researchers  Chris Vickery and Greg Pollock reported how they discovered a wide-open server belonging to the agency. 

"The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services (OMES), allowing any user from any IP address to download all the files stored on the server," says Pollock.

The researchers found a three TB of data, and files include spreadsheets,  Life insurance information, names of AIDS patient, interviews with witnesses, social security number,  bank records, and emails and letters from agents, witnesses, and subjects. 

The companies which were badly affected by this breach are AT&T, Goldman Sachs, and Lehman Brothers.

“It represents a compromise of the entire integrity of the Oklahoma Department of securities’ network,” UpGuard’s head of research Chris Vickery told Forbes. “It affects an entire state level agency… It’s massively noteworthy.”

Meanwhile, ODS has said that the open server was immediately secured after the exposure was discovered. 

"A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them," the department added. "The ODS is also exploring remedial actions and notifications for anyone whose information may have been exposed.

OYO to share customers data with state government


Hospitality firm Oyo will soon start using a digital record system in the form of an app and will share customers arrivals and departures data with the state governments in India.

The company's South East Asia CEO Aditya Ghosh announced it during a CII conference in Kolkata. He said: "At this point, we have seen acceptance from the state governments of Haryana, Rajasthan, and Telangana of our proposed digitization of guest entry and departure records. The digital arrival and departure register aim to maintain a real-time record of guest entries and update the respective governments on who's checking in and checking out, when presented with an information order for an investigation, making this a more secure, efficient and transparent process as compared to the manual version."

After this, the company has faced the flank of everyone as it is not sure whether they would share the data with authorities in real time or not. While some of the data security experts see it as a breach of privacy.

However, the company has clarified that they will only share details with authorities in case an information order is furnished. "We share any limited information only when required by law and only when we are duty-bound or permitted to disclose personal information through orders or directions of government/regulatory bodies, law enforcement officials and court orders etc."

 OYO has already started using the digital register in Jaipur and its pilot projects are running in the other two states.

Meanwhile, the company is aiming to become the biggest player in the hospitality sector, currently, they are at number three.

"We will have one million rooms inventory into our fold in the near distant future. I think it should happen in a year and a half," Ghosh said.

Alcatel Smartphones Pre-Installed With Malware



A weather forecast app which is pre-installed on Alcatel smartphones is loaded with the malware that secretly sending personal data to a server in China. 

According to the findings of an investigation done by Upstream's Secure-D, the app was found collecting geographic locations, email addresses, IMEI codes,  and sending all the user data to China. The app has a number of privacy-invasive permissions on the device.

The app has been developed by TCL, the Alcatel brand licensee, and is also available on the Google Play store. Till now it has been downloaded more than 10million times and has managed to have a decent user rating 4.4. 

"As soon as the device was placed in the “sandbox”, the application also started – in the background (i.e. not visible to the user) – accessing web pages with digital ads. A specific url (https://traffic.tc-clicks.com/?p=6070&media_type=adult&click_id=2-35d4a42fc0e859aac674a67115e9df9e_1536072819&pi=122 of the domain traffic.tc-clicks.com) was being continuously requested by the app, which in turn was redirecting to web pages with digital ads. The application was then clicking the buttons on those pages, without user interaction nor consent," Upstream wrote on their blog. 

The malware mostly affected users in Brazil, Kuwait, and some countries in Africa.

"We recorded 50MB to 250MB of data per day being consumed by the application's unwanted activity," researchers said. Incurring financial losses to victims.

Meanwhile, Google has removed the app from the Play Store after the Wall Street Journal and Upstream notified TCL and Google officials. 

"The suspicious activity stopped after the WSJ contacted TCL," an Upstream spokesperson told ZDNet, "although the data collection continued."

Internal App Leaked NASA Project And Employee Details



A misconfiguration flaw in an internal App JIRA of the US National Aeronautics and Space Administration (NASA) exposed the sensitive internal data including the personal information of some current and former employees.

NASA has sent an internal memo to all employees stating that an unknown intruder has gained access to their servers, in which personal information of employees was stored.


 The breach was first discovered on October 23, and since then the agency is working with them to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals.”

According to the report, the exact number of people affected by this breach is not known. However, the agency has taken all the preventive action to further control the damage.

“Those NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between Centers, from July 2006 to October 2018, may have been affected,” Bob Gibbs, NASA Assistant Administrator said in the memo.

"Once identified, NASA will provide specific follow-up information to those employees, past and present, whose PII was affected, to include offering identity protection services and related resources, as appropriate," he said.

Meanwhile, the full investigation of the matter  "will take time."