An unencrypted laptop was recently stolen from a NASA employee's car, exposing a "large number" of NASA employees' personal information.
"'We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees,' said Richard J. Keegan Jr, associate deputy administrator," writes Threatpost's Michael Mimoso. "The theft took place on Halloween; thieves not only took the laptop but official NASA documents issued to a person the agency referred to as a headquarters employee."
"NASA has hired data breach specialist ID Experts to help notify all of the individuals affected by the breach, Keegan said," writes Computerworld's Jaikumar Vijayan. "Those whose personal data could be accessed by the crooks will receive free credit monitoring and identity theft monitoring services as well as an insurance reimbursement policy in case of identity theft."
"NASA doesn't yet know the full extent of the breach, presumably because the agency is still attempting to reconstruct and study everything that was on the stolen laptop," writes InformationWeek's Mathew J. Schwartz. "'Because of the amount of information that must be reviewed and validated electronically and manually, it may take up to 60 days for all individuals impacted by this breach to be identified and contacted,' said Keegan."
"While this issue is sorted out, NASA has banned employees from removing laptops with sensitive information from its facilities unless whole disk encryption software is enabled or the sensitive files are individually encrypted," writes PCMag.com's Chloe Albanesius. "NASA's IT staff has been ordered to encrypt a large number of its laptops by Nov. 21 and to complete the process by Dec. 21."
"Fortunately, NASA has also declared that storage of sensitive information on smart phones or other mobile devices is now taboo," writes Sophos' Lisa Vaas. "Let's hope they also have an eye toward all the places that data propagates, whether it's in emailed attachments, on mail servers that might be in the cloud, on smartphone mail apps, on backup tapes, or in any internal or outsourced operations."