NASA suffers major data breach over stolen laptop that wasn’t encrypted

NASA image, courtesy of ShutterstockIn March 2011, algorithms used to command and control the International Space Station were exposed.

In March 2012, it was the personally identifiable information (PII) of 2,300 employees and students.

In another incident, it was sensitive data on NASA’s Constellation and Orion programs.

This time around, on 31 October, it was PII on an unspecified, but large, number of NASA employees and contractors.

All these instances involved the theft of unencrypted laptops from NASA. With this most recent theft, the space agency is finally doing something about these incidents, beyond the limited scope of its previous remediation efforts.

NASA announced on Tuesday that, effective immediately, the agency is jumping on the encryption fast track.

By 21 December, no NASA-issued laptops containing sensitive information will be allowed to leave a NASA facility unless whole disk encryption software is enabled or sensitive files are individually encrypted.

In a message sent agency-wide to all employees, Associate Deputy Administrator Richard J Keegan Jr. informed NASA staff that somebody or somebodies broke into a locked vehicle and stole official NASA documents on 31 October.

The laptop contained records with PII for a large number of employees, contractors and others, Keegan said.

He gave no explanation as to why the agency waited weeks to inform employees.

Rocket. Image from ShutterstockThe computer was protected only with a password and lacked whole disk encryption, which left the information accessible to thieves.

NASA is taking standard breach precautions, including contracting a data breach specialist, ID Experts, to notify those whose PII was compromised.

The agency is offering free credit and identity monitoring, recovery services in cases of identity compromise, an insurance reimbursement policy, educational materials, access to fraud resolution representatives, and a call center and website.

It’s recommending that anybody affected activate these services ASAP.

NASA is also recommending that those affected be wary of suspicious phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it.

NASA and ID Experts won’t be contacting employees to ask for or to confirm personal information, Keegan said, so any such communication is sure to be bogus.

NASA’s embrace of full-disk encryption has up until now been less than comprehensive.

After the March 2012 stolen laptop and PII exposure, the agency pledged:

...a full review of current IT security policies and practices with the goal of making changes to prevent a similar incident.

At that time, NASA promised that all laptop computers at NASA Kennedy Space Center, not just ones with PII or sensitive data, would have their hard drives encrypted by September 2012.

In retrospect, it would have been smarter to extend that initiative to all hard drives, throughout the entire agency, not just those at Kennedy.

Secure laptop, courtesy of ShutterstockBut that is, apparently, a lesson that NASA has now taken to heart and will implement with all due haste.

The new full-disk encryption applies to all laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data.

Keegan said that NASA’s Administrator and CIO have laid out the marching orders for agency CIOs to complete whole disk encryption of the maximum possible number of laptops by 21 November.

NASA plans to complete the effort by 21 December, after which no unencrypted laptop, regardless of whether it contains PII, will be allowed to leave its facilities.

In the meantime, employees working remotely or traveling have been told to use loaner laptops if their NASA-issued laptop contains unencrypted sensitive information.

On Wednesday, a security vendor (or then again, more likely, many security vendors, but only one wrote to me directly) sent out a statement on the NASA breach that said,

"OK, whole-disk encryption might be good, but is it good enough?"

It's a question worth asking. As he said, data is in fact moving to and from laptops, in emails, files, and as data traveling to and from apps and servers.

Fortunately, NASA has also declared that storage of sensitive information on smart phones or other mobile devices is now taboo.

Let's hope they also have an eye toward all the places that data propagates, whether it's in emailed attachments, on mail servers that might be in the cloud, on smartphone mail apps, on backup tapes, or in any internal or outsourced operations.

NASA image, courtesy of Songquan Deng / Secure laptop and rocket images courtesy of Shutterstock