A laptop computer stolen from a vehicle of a NASA employee on Halloween contained sensitive, private information on more than 10,000 current and former NASA employees, an internal report revealed Monday.
As a result of the loss, NASA Inspector General Paul K. Martin explained that the nation’s space agency contracted with credit monitoring services to ensure the financial identities of their employees were protected — at a cost of up to $700,000. Talking Points Memo picked up the story shortly after the report’s publication.
The report (PDF) shines a light on NASA’s long-running, often-delayed data encryption efforts, which have been underway since last year but still appear to be lagging behind. A total of 107 NASA laptops have gone missing from 2011-2012, the report adds.
The report also notes that NASA “owns or leases upwards of 60,000 desktop and laptop computers,” but only about 34,000 of them have been brought up to standards on data security. That’s due to what Martin called “a lack of sufficient internal controls,” the decentralized nature of NASA’s IT management and repeated delays by HP Enterprise Services, which NASA hired to implement agency-wide encryption protocols.
All of the agency’s laptop computers are supposed to be fully encrypted by December 21, 2012, but Martin’s report says that’s a goal not likely to be met. Instead, the report recommended that NASA IT officials recommit to enforcing a ban on taking agency laptops offsite unless they’re fully encrypted.
“NASA takes information technology security very seriously and thanks the Inspector General for its recommendations for further strengthening NASA’s systems,” NASA spokesperson Bob Jacobs told Raw Story. “Most recently, NASA has accelerated its commitment to encrypting all agency laptops, encrypting more than 11,000 agency laptops in just the last few weeks. NASA has also implemented new policies and processes that will prevent future losses of personally identifiable information, such as directing that no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted.”