An agency-wide email sent to employees at NASA has warned that one of its servers containing personal information had been hacked.
Staff who worked for NASA between July 2006 and October 2018 may have been affected, according to the email, which did not specify how many.
The incident was discovered in October.
Unlike in the EU, where data regulations require organisations to inform people if their data has been breached within 72 hours, there is no such requirement in the US.
According to the message to staff, NASA cyber security staff began investigating the compromise on 23 October, and established that data including social security numbers may have been compromised by the attackers.
"Upon discovery of the incidents, NASA cyber security personnel took immediate action to secure the servers and the data contained within," the agency said.
"NASA and its federal cyber security partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals."
More from NASA
However, the internal email – which was sent by Bob Gibbs, the assistant administrator for the agency's human resources department – stressed: "This process will take time."
He added: "The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any agency missions were jeopardised by the cyber incidents."