NASA has enacted new policies to protect employee and other sensitive information after a laptop was stolen from an employee’s locked vehicle, exposing records of personal information on a “large number” of NASA employees.
The laptop was not protected by whole disk encryption, NASA officials said, putting an undisclosed number of employees at risk for identity theft and other abuses of personal data.
“We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees,” said Richard J. Keegan Jr, associate deputy administrator. The theft took place on Halloween; thieves not only took the laptop but official NASA documents issued to a person the agency referred to as a headquarters employee.
NASA has hired a service provider to handle disclosure and provide identity monitoring and recovery services to affected employees. NASA said it could take up to 60 days for all individuals involved to be notified.
“The Administrator is extremely concerned about this incident and has directed that all IT security issues be given the highest priority,” Keegan said. “NASA is taking immediate steps to prevent future occurrences of PII data loss.”
Those steps include a new policy that no NASA-issued laptop containing such sensitive data will not be allowed to leave a NASA facility without full-disk encryption deployed, or those individual files being encrypted.
“This applies to laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data,” Keegan said. Agency CIOs have until Nov. 21 to deploy encryption on laptops. Beyond that date, a NASA statement said, no NASA-issued laptop will be allowed to leave a facility regardless of whether it contains personally identifiable information.
NASA is also prohibiting any sensitive data from being stored on a mobile device and requiring that all sensitive files not required for immediate projects be deleted from laptops and stored on shared drives.
Information security has been scrutinized at NASA since testimony in February by NASA Inspector General Paul Martin before the House Science, Space and Technology subcommittee revealed that hackers had full access to the agency’s Jet Propulsion Lab systems and user accounts. The lab’s systems were attacked 47 times, 13 of those resulting in successful compromises. The agency experienced 5,408 incidents in 2010 and 2011 where attackers either installed malware or gained access to systems.
In March 2011, a laptop was stolen that contained algorithms used to control the International Space Station; one of 48 laptops stolen between 2009 and 2011. As of Feb. 1, one percent of NASA laptops were encrypted.