NASA suffers major data breach over stolen laptop that wasn't encrypted

Filed Under: Data loss, Privacy, Security threats

NASA image, courtesy of ShutterstockIn March 2011, algorithms used to command and control the International Space Station were exposed.

In March 2012, it was the personally identifiable information (PII) of 2,300 employees and students.

In another incident, it was sensitive data on NASA's Constellation and Orion programs.

This time around, on 31 October, it was PII on an unspecified, but large, number of NASA employees and contractors.

All these instances involved the theft of unencrypted laptops from NASA. With this most recent theft, the space agency is finally doing something about these incidents, beyond the limited scope of its previous remediation efforts.

NASA announced on Tuesday that, effective immediately, the agency is jumping on the encryption fast track.

By 21 December, no NASA-issued laptops containing sensitive information will be allowed to leave a NASA facility unless whole disk encryption software is enabled or sensitive files are individually encrypted.

In a message sent agency-wide to all employees, Associate Deputy Administrator Richard J Keegan Jr. informed NASA staff that somebody or somebodies broke into a locked vehicle and stole official NASA documents on 31 October.

The laptop contained records with PII for a large number of employees, contractors and others, Keegan said.

He gave no explanation as to why the agency waited weeks to inform employees.

Rocket. Image from ShutterstockThe computer was protected only with a password and lacked whole disk encryption, which left the information accessible to thieves.

NASA is taking standard breach precautions, including contracting a data breach specialist, ID Experts, to notify those whose PII was compromised.

The agency is offering free credit and identity monitoring, recovery services in cases of identity compromise, an insurance reimbursement policy, educational materials, access to fraud resolution representatives, and a call center and website.

It's recommending that anybody affected activate these services ASAP.

NASA is also recommending that those affected be wary of suspicious phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it.

NASA and ID Experts won't be contacting employees to ask for or to confirm personal information, Keegan said, so any such communication is sure to be bogus.

NASA's embrace of full-disk encryption has up until now been less than comprehensive.

After the March 2012 stolen laptop and PII exposure, the agency pledged:

...a full review of current IT security policies and practices with the goal of making changes to prevent a similar incident.

At that time, NASA promised that all laptop computers at NASA Kennedy Space Center, not just ones with PII or sensitive data, would have their hard drives encrypted by September 2012.

In retrospect, it would have been smarter to extend that initiative to all hard drives, throughout the entire agency, not just those at Kennedy.

Secure laptop, courtesy of ShutterstockBut that is, apparently, a lesson that NASA has now taken to heart and will implement with all due haste.

The new full-disk encryption applies to all laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data.

Keegan said that NASA's Administrator and CIO have laid out the marching orders for agency CIOs to complete whole disk encryption of the maximum possible number of laptops by 21 November.

NASA plans to complete the effort by 21 December, after which no unencrypted laptop, regardless of whether it contains PII, will be allowed to leave its facilities.

In the meantime, employees working remotely or traveling have been told to use loaner laptops if their NASA-issued laptop contains unencrypted sensitive information.

On Wednesday, a security vendor (or then again, more likely, many security vendors, but only one wrote to me directly) sent out a statement on the NASA breach that said,

"OK, whole-disk encryption might be good, but is it good enough?"

It's a question worth asking. As he said, data is in fact moving to and from laptops, in emails, files, and as data traveling to and from apps and servers.

Fortunately, NASA has also declared that storage of sensitive information on smart phones or other mobile devices is now taboo.

Let's hope they also have an eye toward all the places that data propagates, whether it's in emailed attachments, on mail servers that might be in the cloud, on smartphone mail apps, on backup tapes, or in any internal or outsourced operations.


NASA image, courtesy of Songquan Deng / Shutterstock.com. Secure laptop and rocket images courtesy of Shutterstock

, , , ,

You might like

6 Responses to NASA suffers major data breach over stolen laptop that wasn't encrypted

  1. jag · 655 days ago

    Yesir......recouping management incompetence with more tax dollars. Why bother with security implementation and maintenance when there is no fining or firing. The energized tax payers will handle the contract invoices.

  2. MikeP_UK · 654 days ago

    How does one do whole disk encryption in XP Pro? Does it require a password or similar? Can the data then be read via another Windows PC - or even a Linux PC?
    It's all very well saying data should be encrypted, but that becomes a problem if it restricts legitimate usage too strictly.

  3. Mark · 654 days ago

    implementing these types of things is a lot of work as people come and go (how many of these laptops will have the password on a sticky-note inside the cover?) - just knowing that you even know about *every* single laptop is hard in most decentralized enterprises, much less implementing a comprehensive encryption and "i forgot the password, help!" helpdesk support infrastructure.

    Still, as with any critical infrastructure where safety and/or gov secrets are at risk, it seems amazing that so little effort has been put into it at NASA.

  4. Steven · 652 days ago

    And they bought SymantecPGP.

  5. Randy · 650 days ago

    "By 21 December, no NASA-issued laptops containing sensitive information will be allowed to leave a NASA facility unless whole disk encryption software is enabled or sensitive files are individually encrypted."
    But what about personal digital devices? They are showing up more and more in the workplace and employers welcome them because the employee has paid for them vs. the company. This is becoming a security nightmare.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.