Stolen KSC Laptop Has Employee Personal Info On It (Update)
NASA KSC internal Memo: NASA KSC Laptop Theft
“On March 5, 2012, a NASA laptop computer containing sensitive Personally Identifiable Information (PII) was stolen from a NASA KSC employee. We have verified that personal information was contained in the files that were on this laptop at the time it was stolen.”
NASA KSC Response to Employee Laptop Theft
“Originally, a limited number of employees and less sensitive personal data were thought to be on the stolen computer. But as part of the investigation and response to the theft, NASA IT, security and human resource personnel confirmed (through backed-up records of the stolen computer stored on protected agency servers) more precisely what information was contained on that laptop, and it was learned on March 14 that many more employees and more sensitive data, including social security numbers, were involved. NASA is sending “letters of notification,” first in the email below, to provide faster notification, and then by paper letter by March 19, to affected employees.”
Hearing Notes: Charles Bolden Testifies on NASA’s FY 2013 Budget
“When Wolf mentioned the recent NASA IG report on computer security and the spate of incidents, Bolden said that he was going to sign a directive and that all portable devices would use encryption. He said he should have known better and that it was his fault that this had not been implemented sooner. Bolden said that he had talked to his staff and that when compared to other agencies’ IT security, that NASA was “woefully deficient”.”
Why they, NASA or any firm let Human Resources folks wander around with all of this information on laptops to begin with, is beyond me. They should require the information be stored on desktops that have large chains tied to them anchored to the floor, absent any USB, etc. portals too. Never laptops.
The extent of personal data capture is excessive, invasive, and too often lacks purpose. Why not collect things like favorite song and tv show, last procto exam and results, your dating history, the last time you blew your nose and entire medical history? I’m surprised they didn’t grab the indivduals credit card numbers with the 3 digit code info too. Personal information hoarding, for what? Control? Power? All to be mishandled and exposed globally. Not just a NASA mishandling issue here, but an industry pandemic problem.
This is standard protocol for any missing laptop.
Bolden talked IT security last week as a matter of best practices and self-discipline, if memory serves.
Looks like its time to discipline some people.
This data should be on servers, not laptops or even desktops. There’s no need to have it in portable fashion. This is the 21st century, the cloud reaches everywhere you’d need this data to be.
I agree 100%. It makes me wonder how many other people are toting around my SSN on laptops, USB drives, etc. It simply should not be allowed. NASA is living in the last century. The flippin’ form that you use to request a key at KSC requires your SSN!! It says it’s optional based on the 1974 Privacy Act. But if you read the fine print on the back of the form, you don’t get a key if you don’t provide the information. So write your SSN on a hardcopy form, or don’t get access to your office. Sheesh!
NASA computers require the user’s NASA badge and encrypted password (at least at LaRC) to log on, it shouldn’t be a big deal.
Some people don’t encrypt. Procedures. Self-discipline. But it’s time to move to phase three – firing as an example to the rest.
No one is ever fired at NASA Doug. They either quit, die, or fade away.
What says it was a civil servant’s computer?
NASA KSC PAO says so.
Was it really stolen? Or, was the computer left somewhere, maybe forgotten for a few minutes, and someone picked it up and walked away with it? Did the ‘theft’ occur at an off-site location, such as an airport, motel, bar? Someone needs to explain how the computer was ‘stolen’.
It was stolen according to NASA KSC PAO.
It was stolen from the employees car in his driveway. Of course, leaving your laptop in your car at home is just plain irresponsible to put it mildly.
The car was left unlocked.
KSC is doing nothing for the employees
beyond the two loosely written emails which includes the one yr watchguard. Questions and calls go unanswered. Also, not one communication has
addressed preventing this from happening again.
KSC may have violated the Privacy Act of 1974, the Cohen Clinger Act,
and the Paper Reduction Act (the part to reduce use of Social Security
numbers).
KSC clearly is not using the guidance within Document number M-07-16 OMB
Memorandum for the Heads of Executive Departments & Agencies. It
explicitly provides policies to safeguard PII and guidance & expectations
if breaches occur. There’s even a section that discusses how to
provide assistance to those affected which is not being followed at KSC.
Keith – Please help us by posting this on the front page so someone in
DC will ask the KSC CD Senior Managers the right questions to ensure the
hard working employees at KSC are treated fairly. This breach could
have significant impacts on our personal lives and we deserve to have
our questions answered.
I have always thought that putting the inventory sticker on the outside of the computer, in a highly visible area was STUPID and invited theft. If you are up to no good and you see either a NASA property tag, or a ODIN Property of Lockheed Martin tag, don’t you think you might find something important on that computer?
I have always advised employees to take a low profile while on travel. No visible badges, no company markings on briefcases or computers, and to keep the discussions trivial in airports… just a thought to minimize you becoming a target.
But we have to change 14-character passwords every two months, so everything must be safe.