NASA’s Series of Data Breaches

NASA’s security history in recent months has suffered major attacks. For instance, In March 2011, someone exposed algorithms used to command and control the International Space Station. Then, in March 2012, the personally identifiable information (PII) of 2,300 employees and students was leaked. In yet another embarrassing incident, some sensitive data was breached from NASA’s Constellation and Orion programs. Finally, on October 31, 2012, PII on an unspecified, yet substantial, number of NASA employees and contractors was leaked.

Between April 2009 and April 2011, NASA reported the loss or theft of 48 of its mobile computing devices, according to the NASA Watch Blog, a loud critic of the agency’s data protection practices.

Unencrypted Employee Data

In this most recent data breach, NASA sent a warning to all employees and contractors after a theif stole a NASA laptop and other documents from an agency employee’s locked car. Richard J. Keegan, Jr., associate deputy administrator of NASA wrote:

“On October 31, 2012, a NASA laptop and official NASA documents issued to a headquarters employee were stolen from the employee’s locked vehicle. The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors and others.”

This wasn’t the only piece of bad news. It turned out that the data on the laptop was not protected by encryption technology. “Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals,” Keegan’s notice read.

Currently, NASA has not determined the full extent of the breach. It’s assumed that the agency is still attempting to reconstruct and study all the data that had been stored on the stolen laptop. “Because of the amount of information that must be reviewed and validated electronically and manually, it may take up to 60 days for all individuals impacted by this breach to be identified and contacted,” Keegan said.

Remediation Efforts

Being just the latest example of a number of data breaches, all involving the theft of unencrypted NASA laptops, the agency has finally seen the need to address the situation. NASA’s Chief Information Officer, Linda Cureton, has since ordered that all agency laptops be encrypted within a month. The agency’s CIOs must complete whole disk encryption of the maximum possible number of laptops by November 21, 2012. The effort is expected to be completed by December 21, 2012, after which no unencrypted laptop, regardless of whether it contains PII, will be allowed to leave its facilities. Furthermore, employees have been banned from storing sensitive data on mobile phones, tablets and other portable devices.

NASA is also taking other standard breach precautions, which include contracting a data breach specialist – ID Experts – to notify those whose PII was compromised. The agency has offered free credit and identity monitoring, recovery services in cases of identity compromise, an insurance reimbursement policy, educational materials, access to fraud resolution representatives and a call center and website.

The agency has recommended that those affected should be wary of suspicious phone calls, emails and other communications from individuals claiming to be from NASA, or other official sources that ask for personal information or verification of it.

Terry Greer-King, the UK managing director for security firm Check Point, commented that the fact that this latest breach comes so soon after a similar incident in March proves that enforcing good data security is an ongoing, rigorous process. “By its own admission, only 1% of NASA laptops and portable devices were encrypted as of February 2012, compared with a US government-wide encryption rate of 54%,” Greer-King said

“This shows that there is still a long way to go before the data held on government and corporate laptops is truly secure,” he went on to observe.


This article takes a look at NASA data breaches since 2011, most of which have involved stolen laptops which contained sensitive or personally identifiable information (PII) that were not protected by encryption technology. The most recent data breach was announced on October 31, 2012, and resulted in agency-wide changes to the handling and protection of PII. NASA’s Chief Information Officer has since ordered that all agency laptops be encrypted by December 21, 2012.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) and the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

  • Personally identifiable information (CIPP/IT; I.A.c.i.)
  • Privacy by architecture – addressing data protection gaps (CIPP/IT; III.A.a.)
  • Data encryption (CIPP/IT; III.D.e.)
  • Incident response programs (CIPP/US; I.C.c.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>