NASA Encrypting Laptops After BreachStolen Device Contained Sensitive Information
Commenting on the Oct. 31 breach, NASA spokesman Michael Braukus tells Information Security Media Group: "Currently, it is estimated that 10,000 people have been affected, but the final number could be higher. Affected individuals identified to date include people who have applied for access to NASA information or facilities. The effort to identify all those who were affected is ongoing."
Braukus would not reveal details about the personal information that may have been exposed in the breach.
Details of Theft
In an e-mail to employees, Richard Keegan Jr., NASA's associate deputy administrator, reveals that the laptop was stolen from an employee's locked vehicle. The device contained personally identifiable information on "a large number of NASA employees, contractors, and others," according to the e-mail, obtained by the news site SpaceRef.
Braukus offers further details. "The computer was password-protected, but some of the specific files were not encrypted as required by NASA policy," he says. "The hard drive also had not yet received the whole-disk encryption software as part of the ongoing agency-wide effort."
NASA is assessing whether the data breach resulted from any violations of the agency's security policy and procedures, Braukus adds.
"Effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted," the e-mail announcement from Keegan states.
"Center CIOs have been directed to complete the whole disk encryption of the maximum possible number of laptops by Nov. 21," the announcement notes. NASA plans to complete its stepped-up laptop encryption effort by Dec. 21, "after which time no NASA-issued laptops without whole disk encryption software, whether or not they contain sensitive information, shall be removed from NASA facilities," according to the e-mail.
Credit Monitoring Offered
NASA is offering those affected by the breach free credit monitoring and related services from ID Experts, the e-mail from Keegan states. "Because of the amount of information that must be reviewed and validated electronically and manually, it may take up to 60 days for all individuals impacted by this breach to be identified and contacted."
The e-mail reminds employees that they must not store sensitive data on smart phones or other mobile devices. And it states that sensitive files that are no longer required for immediate work needs should be purged from laptops but maintained on a shared drive if necessary for records retention purposes.
This is the second incident of a stolen unencrypted laptop at NASA this year. Braukus confirms that a human resources staffer at NASA's Kennedy Space Center reported on March 5 that an agency laptop was stolen the previous night from the employee's personal vehicle parked outside her private residence in Florida. The laptop, which contained personally identifiable information, was not recovered, he adds.
The following is the official statement on the incident that NASA provided to Information Security Media Group:
"NASA takes the issue of information technology security very seriously, and the administrator has ordered a complete review of this incident and a report on the agency's progress to better protect its information technology systems, including laptop computers. NASA's inspector general is investigating the theft of the laptop in cooperation with local authorities. NASA regrets this incident and the inconvenience it has caused for those whose personal information may have been exposed.
"The agency is in the process of assessing the loss of the computer, reviewing procedures, and alerting individuals who may be affected. NASA is taking immediate steps to prevent future occurrences of personally identifiable information data loss. The administrator and the chief information officer have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. In the meantime, employees who are teleworking or travelling will need to use loaner laptops if their NASA-issued laptops contain unencrypted sensitive information."