NASA breach update: Stolen laptop had data on 10,000 users, ComputerWorld
"Personally identifiable information of "at least" 10,000 NASA employees and contractors remains at risk of compromise following last month's theft of an agency laptop, a spokesman told Computerworld via email Thursday. ... Responding to questions from Computerworld today, NASA spokesman Allard Beutel acknowledged that agency waited nearly two weeks to publicly disclose the breach. He said that in the interim, NASA was working with law enforcement personnel to recover the laptop, and was working to determine exactly whose personal data was stored on it."
Agencywide Message to All NASA Employees: Breach of Personally Identifiable Information (PII) (Original NASA Memo to employees)
Keith's 15 Nov note: There is no common sense evident in the NASA CIO organization. Why on Earth would anyone allow information on this many people to leave the agency on a single laptop - without sufficient encryption/protection - and then leave it unattended in a car? What baffles me is that NASA waited 2 weeks to tell the people affected. I guess that means that NASA had no idea what was on the laptop in the first place - but they allowed it to leave the building anyway - and that the person taking the laptop off site either had no idea what was on the laptop (not good) or knew what was on the laptop and did not care to treat the contents the way that they should have been protected. This borders on sheer negligence.
Keith's 16 Nov update: A NASA Watch reader forwarded the letter that they received as a result of the stolen laptop. Note that NASA has yet to explain to any affected employees exactly what sort of personal information of theirs was on the laptop. So ... what is it that people need to be watching out for? Apparently everything since NASA has yet to tell people what data of theirs is affected. People are given a list of things that they have to do at their own time and expense such as freezing their credit. NASA annoyingly notes that if one choses to implement such a freeze "you will not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily lift or permanently remove the freeze, The coast of placing the freeze varies by the state you live in and for each credit reporting agency."
NASA made this mistake - not the thousands of its employees who were affected. Its about time for the agency to tell its employees exactly what sort of risk they face as a result of the agency's incompetence. NASA has had more than 2 weeks to work on this. The fact that NASA still cannot - or will not - tell its employees what they need to be looking out for is simply inexcusable.