US space agency Nasa has ordered that the data on all its laptops must be encrypted, after losing another one of its portable computers. Until the process is complete, it has forbidden staff from removing Nasa-issued laptops containing sensitive information from its facilities.
The order follows the loss of a device containing “sensitive personally identifiable information”. There have been several similar incidents over recent years. Nasa said the latest incident had occurred on 31 October, when a laptop and documents were stolen from a locked vehicle of one of its employees at Nasa headquarters in Washington DC.
The machine was password protected, but the agency acknowledged that the information might still be accessible to hackers since it was not encrypted. Encryption would have scrambled the data, requiring a complicated code to make it understandable again.
As a result, Nasa has warned its workers to watch out for bogus messages. “All employees should be aware of any phone calls, emails, and other communications from individuals claiming to be from Nasa or other official sources that ask for personal information or verification of it,” an agency-wide email published by news site Spaceref stated. “Because of the amount of information that must be reviewed and validated electronically and manually, it may take up to 60 days for all individuals impacted by this breach to be identified and contacted.”
As a result of the security breach, Nasa’s chief information officer, Linda Cureton, has said that with immediate effect laptops containing information about the following topics could only leave its buildings if the relevant data was encrypted:
the international sale or transport of weapons, nuclear equipment or other materials that fall under the US’s export administration regulations
information about Nasa’s human resources
other “sensitive but unclassified” data
She said that she wanted the maximum possible number of laptops to be encrypted by Wednesday and a target of all laptops a month later. In addition employees have been banned from storing sensitive data on mobile phones, tablets and other portable devices.
The Nasa Watch blog, which comments on affairs at the agency, had previously criticised it for a series of other data losses. It noted that the organisation had been warned in 2009 that it was not taking enough steps to sufficiently protect information and had reported the loss or theft of 48 of its mobile computing devices between April 2009 and April 2011.
This is not the first time Nasa has promised action to address the problem. In March, Nasa administrator Charles Bolden told the House Appropriations Committee Subcommittee on Commerce that that he was going to sign a directive ordering all portable devices to use encryption, after acknowledging the agency was “woefully deficient” when compared to other government departments.
To find out more, please call us on 0845 504 8989, or complete our contact form.