NASA has been sitting on a potentially serious breach of employees’ personally identifiable information (PII) after revealing a server may have been compromised months ago.

In an HR message from the Office of the Chief Human Capital Officer, the US space agency claimed its cybersecurity staff began investigating an incident on 23 October, nearly two months ago.

“After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised,” the email continued.

“NASA and its federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any agency missions were jeopardized by the cyber incidents.”

It’s still unclear exactly how many staff may have been affected by the incident, although NASA has sent the email to all employees so they can take precautions.

“Those NASA civil service employees who were on-boarded, separated from the agency, and/or transferred between centers, from July 2006 to October 2018, may have been affected,” it continued.

“Once identified, NASA will provide specific follow-up information to those employees, past and present, whose PII was affected, to include offering identity protection services and related resources, as appropriate.”

NASA is a major target for nation state and financially motivated, as well as bedroom enthusiasts.

UK hacker Gary McKinnon famously confessed in 2009 to compromising the networks of the US space agency as part of a misguided attempt to look for evidence of a UFO conspiracy.

Sometimes NASA can be its own worst enemy: between April 2009 and April 2011, 48 mobile computing devices loaded with sensitive information were either lost or stolen.