Yesterday, NASA sent a message to all NASA employees informing them of a data breach involving an agency stolen laptop.
According to the NASA message posted at SpaceRef.com, “On October 31, 2012, a NASA laptop and official NASA documents issued to a Headquarters employee were stolen from the employee's locked vehicle. The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others. Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals. We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees.”
The message goes on to state that NASA will be sending letters to affected individuals, once the agency figures out who they are, which may take up to 60 days. Those individuals receiving letters will be offered a free credit and ID monitoring service.
Meanwhile, NASA is urging employees to be suspicious of “any phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it” since neither NASA nor its data breach specialist contractor, ID Experts, will be asking for such information.
The message then goes on to say that, “The Administrator is extremely concerned about this incident and has directed that all IT security issues be given the highest priority. NASA is taking immediate steps to prevent future occurrences of PII data loss.” The steps include requiring NASA-issued laptops that don’t have whole disk encryption software enabled or have sensitive files individually encrypted can’t leave a NASA facility and requiring the purging of sensitive files no longer required for immediate work. NASA plans to have all of its laptops running whole disk encryption software by 21 December 2012.
The NASA message ends in the usual way, “NASA regrets this incident and the inconvenience it has caused for those whose personal information may have been exposed.”
Why it has taken so long for NASA to finally decide to fully encrypt its laptops remains a mystery, given its long-time poor record on IT security. As noted at NASA Watch, NASA has a history of laptops with personally identifiable information being stolen, one as recently as March.
Maybe NASA decided to act this time because it involved a NASA Headquarters' person who in all likelihood is very senior and should have known better than to possess a laptop with no data encryption.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.