This is not a NASA Website. You might learn something. It's YOUR space agency. Get involved. Take it back. Make it work - for YOU.
IT/Web

Stolen KSC Laptop Has Employee Personal Info On It (Update)

By Keith Cowing
NASA Watch
March 21, 2012
Filed under ,

NASA KSC internal Memo: NASA KSC Laptop Theft
“On March 5, 2012, a NASA laptop computer containing sensitive Personally Identifiable Information (PII) was stolen from a NASA KSC employee. We have verified that personal information was contained in the files that were on this laptop at the time it was stolen.”
NASA KSC Response to Employee Laptop Theft
“Originally, a limited number of employees and less sensitive personal data were thought to be on the stolen computer. But as part of the investigation and response to the theft, NASA IT, security and human resource personnel confirmed (through backed-up records of the stolen computer stored on protected agency servers) more precisely what information was contained on that laptop, and it was learned on March 14 that many more employees and more sensitive data, including social security numbers, were involved. NASA is sending “letters of notification,” first in the email below, to provide faster notification, and then by paper letter by March 19, to affected employees.”
Hearing Notes: Charles Bolden Testifies on NASA’s FY 2013 Budget
“When Wolf mentioned the recent NASA IG report on computer security and the spate of incidents, Bolden said that he was going to sign a directive and that all portable devices would use encryption. He said he should have known better and that it was his fault that this had not been implemented sooner. Bolden said that he had talked to his staff and that when compared to other agencies’ IT security, that NASA was “woefully deficient”.”

NASA Watch founder, Explorers Club Fellow, ex-NASA, Away Teams, Journalist, Space & Astrobiology, Lapsed climber.

16 responses to “Stolen KSC Laptop Has Employee Personal Info On It (Update)”

  1. Anonymous says:
    0
    0

    Why they, NASA or any firm let Human Resources folks wander around with all of this information on laptops to begin with, is beyond me.  They should require the information be stored on desktops that have large chains tied to them anchored to the floor, absent any USB, etc. portals too.  Never laptops.

    The extent of personal data capture is excessive, invasive, and too often lacks purpose.  Why not collect things like favorite song and tv show, last procto exam and results, your dating history, the last time you blew your nose and entire medical history?  I’m surprised they didn’t grab the indivduals credit card numbers with the 3 digit code info too. Personal information hoarding, for what?  Control?  Power?  All to be mishandled and exposed globally.  Not just a NASA mishandling issue here, but an industry pandemic problem.    

  2. Doug Mohney says:
    0
    0

    Bolden talked IT security last week as a matter of best practices and self-discipline, if memory serves.

    Looks like its time to discipline some people.

  3. Ioldanach Dyfrgi says:
    0
    0

    This data should be on servers, not laptops or even desktops.  There’s no need to have it in portable fashion.  This is the 21st century, the cloud reaches everywhere you’d need this data to be.

    • nasa817 says:
      0
      0

      I agree 100%.  It makes me wonder how many other people are toting around my SSN on laptops, USB drives, etc.  It simply should not be allowed.  NASA is living in the last century.  The flippin’ form that you use to request a key at KSC requires your SSN!!  It says it’s optional based on the 1974 Privacy Act.  But if you read the fine print on the back of the form, you don’t get a key if you don’t provide the information.  So write your SSN on a hardcopy form, or don’t get access to your office.  Sheesh!

  4. Henry Z says:
    0
    0

    NASA computers require the user’s NASA badge and encrypted password (at least at LaRC) to log on, it shouldn’t be a big deal.

  5. CuriousCliff says:
    0
    0

    Was it really stolen?  Or, was the computer left somewhere, maybe forgotten for a few minutes, and someone picked it up and walked away with it?  Did the ‘theft’ occur at an off-site location, such as an airport, motel, bar?  Someone needs to explain how the computer was ‘stolen’.

    • kcowing says:
      0
      0

      It was stolen according to NASA KSC PAO.

      • Jason Bachelor says:
        0
        0

        It was stolen from the employees car in his driveway.  Of course, leaving your laptop in your car at home is just plain irresponsible to put it mildly.  

      • NASA_321 says:
        0
        0

        The car was left unlocked. 

        KSC is doing nothing for the employees
        beyond the two loosely written emails which includes the one yr watchguard.  Questions and calls go unanswered.  Also, not one communication has
        addressed preventing this from happening again.

        KSC may have violated the Privacy Act of 1974, the Cohen Clinger Act,
        and the Paper Reduction Act (the part to reduce use of Social Security
        numbers).

        KSC clearly is not using the guidance within Document number M-07-16 OMB
        Memorandum for the Heads of Executive Departments & Agencies.  It
        explicitly provides policies to safeguard PII and guidance & expectations
        if breaches occur.  There’s even a section that discusses how to
        provide assistance to those affected which is not being followed at KSC.

        Keith – Please help us by posting this on the front page so someone in
        DC will ask the KSC CD Senior Managers the right questions to ensure the
        hard working employees at KSC are treated fairly.  This breach could
        have significant impacts on our personal lives and we deserve to have
        our questions answered.

  6. thebigMoose says:
    0
    0

    I have always thought that putting the inventory sticker on the outside of the computer, in a highly visible area was STUPID and invited theft.  If you are up to no good and you see either a NASA property tag, or a ODIN Property of Lockheed Martin tag, don’t you think you might find something important on that computer?  

    I have always advised employees to take a low profile while on travel.  No visible badges, no company markings on briefcases or computers, and to keep the discussions trivial in airports… just a thought to minimize you becoming a target.

  7. dogstar29 says:
    0
    0

    But we have to change 14-character passwords every two months, so everything must be safe.