NASA has contracted ID Experts to manage the breach, and has warned staff not to respond to any requests for personal information. ID Experts will write to everyone affected and provide details of free “credit and identity monitoring, recovery services in cases of identity compromise, an insurance reimbursement policy, educational materials, and access to fraud resolution representatives.” NASA warns that it may take up to 60 days for everyone affected to be contacted by ID Experts, and in the meantime points people to the FTC Identity Theft: What to Know, What to Do page.
Details on the incident are limited to the content of the breach notification email issued to staff and contractors by NASA, obtained and published by the space specialist website Space Ref. Computerworld notes that “NASA did not respond to a request for information on how many employees were affected, or why the agency waited nearly two weeks to disclose the breach.”
This is not the first time an unencrypted NASA laptop has been stolen. An internal memo dated 16 March 2012, also published by Space Ref, warned staff at NASA KSC that a laptop containing information “such as name, social security number, race, national origin, gender, contact phone number, e-mail, date of birth, college affiliation, and grade point average” had been stolen. Days later, NASA Administrator Charlie Bolden testified before the House Appropriations Committee Subcommittee on Commerce, Justice, Science, and Related Agencies. Space Ref reported at the time, “When Wolf mentioned the recent NASA IG report on computer security and the spate of incidents, Bolden said that he was going to sign a directive and that all portable devices would use encryption.”
This clearly hadn’t happened in the seven months before this latest incident, and may explain the extensive and forthright security instructions contained in the new email. Effective immediately, “no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted.” A program to encrypt all NASA laptops will now be initiated and completed by 21 December, “after which time no NASA-issued laptops without whole disk encryption software, whether or not they contain sensitive information, shall be removed from NASA facilities.”
Security experts hope that the disk encryption is not the full extent of NASA’s new initiative. “CIOs need to remember that just encrypting a laptop solves only a fraction of data breach risk,” warned Mark Bower, VP at Voltage Security. “Data moves to and from laptops – in emails, files, and as data to and from applications and servers. So while encrypting a laptop might be a first reaction, with attackers going after data in flight and the risk of accidental breach through multiple channels (whether its data at rest, in use or in motion), wherever there’s a security gap with data in the clear, it’s vulnerable to compromise.” Voltage advocates a data-centric rather than device-centric approach to encryption.