March must be some kind of magical month for NASA. And by magical I mean dismal. The USA’s premier (and only) space agency is contacting employees and interns that a laptop computer with their personal information was stolen, causing a data breach. After its recent coverage regarding data security, it looks like NASA really ought to get cracking on deploying disk encryption software like AlertBoot on their computers.
An employee at the Kennedy Space Center lost his laptop during a car break-in on March 5. According to floridatoday.com, KSC realized by March 14 that “many more personnel were affected and more personal information was accessible than originally thought.”
That’s what prompted KSC to send an email notification to 2,300 civil servants and student interns on March 16. Floridatoday.com notes that this number represents “virtually the center’s entire non-contractor workforce.”
The stolen information includes SSNs, names, race, national origin, gender, date of birth, contact information, college affiliation, and GPAs.
Earlier this month, I had blogged about the findings of the Inspector General’s Office. To make it short, NASA has poor data security practices. As an example, the theft of a laptop computer in March 2011 was given. This laptop, stolen one year ago, stored the algorithms used to control the International Space Station. The Inspector General noted that:
Until NASA fully implements an Agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft.
NASA, of course, went into PR mode, stating that it’s computers are secure. I’m sure that there’s plenty of security on those laptops. However, you’ve got to wonder how well they’ve thought things out when you consider that:
According to Martin, only 1 percent of NASA’s portable devices are encrypted, compared to 54 percent of such devices government-wide. [palmbeachpost.com]
One percent. Dang. Maybe it isn’t a wonder that NASA has had two significant data breaches one year apart.
Well, at least it’s better than finding out that you’re selling computers without totally scrubbing your data. With theft, you can at least claim you’re a victim.