Security Experts:

NASA's Stolen Laptop Was Not Encrypted - Puts 'Large Number" of Employees At Risk

The nation's space agency is facing a data breach after an employee laptop was stolen from a locked car. The incident may finally force the organization to adopt whole disk encryption to protect sensitive data.

A password-protected laptop issued to a NASA employee was stolen from the employee's locked vehicle on Oct. 31, according to a message from Richard J Keegan Jr., the associate deputy administrator at the National Aeronautics and Space Administration, posted yesterday on SpaceRef.com. The laptop contained records of sensitive personally identifiable information for a "large number" of NASA employees, contractors, and others, the post said.

NASA Stolen LaptopWhile the laptop was password protected, it did not have whole disk encryption software, which means that the data stored on the drive could be accessible to unauthorized individuals, Keegan wrote. Since the disk wasn't encrypted, the thief could easily pop the hard drive out of the laptop and into a different machine as a secondary drive or into a hard drive enclosure to view the contents. Thieves could also potentially use a boot CD to bypass the computer's normal logon procedures (and password prompt).

"We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees," Keegan said.

It is not clear exactly what constitutes a "large number," nor did the post identify what kind of PII was compromised. PII refers to data that can be used to distinguish individual identity, and includes information such as first and last name, address, Social Security number, and date and place of birth. IP addresses, car registration plate numbers, driver's license numbers, biometric and fingerprint data, credit card numbers, and job information can also be considered PII, especially if combined with other pieces of data.

NASA's Information Technology and Communications Division did not respond to SecurityWeek's questions asking for clarification.

NASA is not even sure at this point who is affected by this laptop theft as the agency is still investigating. The agency will be sending out notification letters to affected individuals once it figures out who they are, which may take up to 60 days, according to Keegan's post. Those victims will be eligible for a free credit and IT monitoring service from ID Experts.

"All employees should be aware of any phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information," Keegan wrote. NASA and ID Experts will not be contacting employees to ask for or confirm personal information.

One positive outcome of the data breach is that NASA appears to be taking the incident seriously and immediately putting in new changes to protect data in case of future incidents. NASA's "Administrator and the Chief Information Officer have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility" unless it has whole disk encryption enabled or sensitive files are individually encrypted, Keegan said. The deadline to encrypt the "maximum possible number" of laptops is Nov. 21, and all laptops, regardless of data stored, should be encrypted by Dec. 21.

After the December deadline, NASA-issued laptops without whole disk encryption, regardless of what data is stored on the devices, will not be allowed to leave NASA facilities, according to the new rule. Sensitive files that aren't needed for immediate use will be removed from all laptops and employees will no longer be able to store data on smart phones or other mobile devices, Keegan wrote.

The new rules applies to laptops containing PII, International Traffic in Arms Regulations and Export Administraton Regulations data, procurement and human resources information, and other sensitive but unclassified data.

The Office of the Administrator will be monitoring the agency's progress on a weekly basis. It's not known at this time whether any of NASA's laptops already have whole disk encryption, or if this is something the agency has to start from scratch.

This is also not NASA's first theft-related breach, as a laptop containing sensitive PII was stolen from a employee at Kennedy Space Center back in March, according to NASA Watch. While the agency originally said only "a limited number of employees" were impacted, further investigation confirmed that "more employees and more sensitive data, including social security numbers, were involved," according to posts on SpaceRef.com.

NASA has promised to encrypt its laptops before, and it's clear the agency hasn't followed through completely. In his March testimony to the House Appropriations Committee Subcommittee on Commerce, Science, and Related Agencies in March, NASA Administrator Charles Bolden said he planned to "sign a directive and that all portable devices would use encryption."

IT security has been a big issue over at NASA over the past two years. There have been numerous reports from the Office of Inspector General and Government Accountability Office citing the agency's repeated failures to comply with security requirements, whether it's in risk management, configuration monitoring, proper methods for decommissioning sensitive equipment, or even just meeting guidelines from the Department of Homeland Security.

Keegan said "changes and clarifications in NASA policy" would be effective immediately.

As NASA Watch noted today, "How many times do things like this have to happen before NASA finally figures out how to fix this obvious problem?"

“CIOs need to remember that just encrypting a laptop solves only a fraction of data breach risk,” said Mark Bower, VP at Voltage Security. “Data moves to and from laptops – in emails, files, and as data to and from applications and servers. So while encrypting a laptop might be a first reaction, with attackers going after data in flight and the risk of accidental breach through multiple channels (whether its data at rest, in use or in motion), wherever there’s a security gap with data in the clear, it’s vulnerable to compromise.”

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.