This is not a NASA Website. You might learn something. It's YOUR space agency. Get involved. Take it back. Make it work - for YOU.
IT/Web

NASA's Stolen Laptop and Data Problem Just Got Worse

By Keith Cowing
NASA Watch
December 6, 2012
Filed under , ,

Reader note: “This evening I received a second letter from NASA, stating that I’m also “one of a small number of individuals whose personal data was contained in the hard copy documents stolen with the laptop in the laptop bag.” Now there’s no question about whether my PII data has been exposed. Now more than ever, the one year offer of identity and credit monitoring that is being provided free of charge seems hardly a sufficient amount of time. I plan on 1) contacting NASA requesting additional duration of monitoring and 2) contacting my Representative, Adam Schiff, requesting for a Congressional inquiry as well. The redacted version (my personal info and NASA contact info have been removed) of the latest letter is attached.”
Keith’s note: NASA CIO Linda Cureton: please define “small number” given that over 11,000 employees had their personal information on this laptop due to your office’s inept mismanagement of IT security. Is there any mention – in any memo to employees – of the fact that hard copies of employee information were also stolen? No. Do you post anything about this on the NASA CIO website? No.
NASA is just begging for a class action lawsuit by virtue of their inept response on this matter.
Oh yes – we blurred Richard Keegan’s signature. Wonder why?
NASA’s CIO Anticipated The Laptop Theft, earlier post
Data-at-Rest Is Not A New Requirement at NASA, earlier post
Calls for Congressional Inquiry into Laptop Data Theft, earlier post
JPL Employees Want Congressional investigation Over PII Laptop Theft, earlier post
Agencywide Message to All NASA Employees: Breach of Personally Identifiable Information (PII), earlier post
other posts

NASA Watch founder, Explorers Club Fellow, ex-NASA, Away Teams, Journalist, Space & Astrobiology, Lapsed climber.

31 responses to “NASA's Stolen Laptop and Data Problem Just Got Worse”

  1. Nassau Goi says:
    0
    0

    Keith, the way you are going after accountability on this incident is fantastic. 

    The problem is that a significant amount of the lack of accountability at the agency cannot be depicted by any website, usually with intent. The PAO plays into a large part of this.

    I personally know IT staff that has stood up about this issue in the past, but all of them were told of logistics problems and funding issues about correcting this issue retroactively by management. The same discussions occur for just about every new idea at the agency. The culture is such that, if you “create” too many problems you are more likely to get fired or reassigned. 

    The agency has a severe management problem and while many will attribute that to the top levels of congress and the president, that is far from the case. Civil servant managers hardly ever get fired for poor performance. The lack of accountability starts there. Overpriced projects with poor results tie the hands of Congress and the President and yet they usually get the blame… although often deservingly for different reasons.

    • kcowing says:
      0
      0

      This is a travesty – plain and simple. The agency is clearly inept – starting with its CIO – and does not care at all what happens to employees when things like this happen. I sincerely hope that every employee- civil servant and contractor alike – joins in on a class action/group lawsuit.

  2. chrislcm says:
    0
    0

    I just looked back over my letter (I got the first one, fortunately haven’t gotten the second one yet) and it says “…official NASA documents and a laptop computer…”.  The word that we’ve been getting is that the information identified in this person’s second letter is the same as what was on the laptop for everyone:Name, SSN, date of birth, place of birth.  The main difference is that it takes a less clever thief to take advantage of the printed version.

    I am sort of impressed by the speed and efficiency with which NASA lost control of my PII.  I had only just signed up for the PIV-II badge in June, so it took NASA less than 6 months to let my personal information escape. 

    There’s also still no explanation of why someone had a dump of that many records of PII on a laptop (i.e. why couldn’t it just be restricted to remote access, which can be designed to leave an audit trail of access), and then what purpose there was in carrying it around. 

  3. Ray Hudson says:
    0
    0

    I agree that NASA should be sued by all employees who received this notice.  However, they had better get organizing and get moving because there are timelines that have to be met in accordance with the Federal Tort Claims Act. Before you can bring a lawsuit upon NASA, the claimants must formally make the claim with NASA and they then have 6 months to respond.  If NASA denies the claim, then the claimants must file suit and certify their class within 6 months of NASA denying the claim. Clock is ticking…

  4. ExNASA says:
    0
    0

    I will join a class-action lawsuit, as I am outraged by NASA’s cavalier attitude toward safeguarding PII. I retired from NASA in May 2010, so I have to wonder why my PII was even on a laptop some 2-1/2 years after my retirement. And why was an employee even allowed to remove a computer with so much sensitive information from the NASA building? Apparently the Keystone cops are running the agency, or at least the ‘computer security’ component.

  5. TheEtruscan says:
    0
    0

    Gee.  Identity theft is an issue?  I’ve been living under a rock.  PII data breaches occur; banks, credit cards companies, hospitals, gov’t agencies all lose data?  I’m Shocked, no accounatbility, its a Travesty, why I oughta sue ya! The sky is totally falling!!  Getta grip people.  If you haven’t thought about this before your PII stuff is lost, you’re a sucker.  Identity protection is readily available and cheap.  Are you waiting for your house to get robbed before you buy an alarm system?  NASA’s response was fast, fair, and accountable.  Chances are 95 out of a hundred that the hard copies are rotting in the trash and the laptop w/ a new hard drive is under somebody’s Christmas tree.

    • kcowing says:
      0
      0

      NASA’s response was inept and you know it. Identity protection is often useless or only partially effective – at best – when someone exposes large amounts of PII as they did in this case.

      • TheEtruscan says:
        0
        0

        There response was not inept. Their pretheft process was inept.

        • kcowing says:
          0
          0

          It most certainly was inept.  It took 2 weeks for NASA to get around to telling people.  They have yet to explain to any of the affected individuals what specific information about them was on the laptops and why it was even there in the first place (many affected individuals have not worked for NASA for many years). And offering a partial service – for only a year – is just plain pathetic.

        • Steve Whitfield says:
          0
          0

          I don’t see how you can say the response was not inept.  Quite aside from legalities and IT procedures and all the rest, by a simple time-honored criterion NASA’s response was/is inept —  because, last I checked, Linda Cureton is still NASA CIO.  Considering that this has been going on for a while and seemingly keeps getting worse, she should have been dismissed before now.  She is clearly either not capable of or not interested in doing this sensitive job properly.

          • TheEtruscan says:
            0
            0

            Argumentum ad hominem is beneath you. Here we shoot for the stars. The agency’s policy is being implemented albeit too slowly. All that PII data did not belong on a laptop and the owner was negligent in more ways than one. But you have not been harmed. And if the data is going to be exploited by ID thieves the agency has taken action to protect you if you have previously failed to take steps to protect yourself. This is a known and foreseeable vulnerability in today’s world. Big boy pants are required.

          • kcowing says:
            0
            0

            I love it when people hide behind fake names (there are no more Etruscans, BTW) and go after people who do use their real names. I doubt you’d say these things if you used your real name. Grow up – and knock off the insults.

          • TheEtruscan says:
            0
            0

            Mark Borsi here. Director of Security @ KSC. If this is important to you.

          • Steve Whitfield says:
            0
            0

             The agency’s policy is being implemented albeit too slowly

            Your “too slowly” appears to be mighty slow to me.  Regardless of whether this data is ever exploited in any way or not, it should not have happened.  It would seem inescapable that the relevant procedures are either inadequate or are not being enforced, and this is not the first such breach.  There has to be accountability or this will only continue.  I stand by my opinion, pants or no pants.

            Steve

          • Michael Spencer says:
            0
            0

            This is seriously what you are goin’ with?

            Let me see. Your name is on the letterhead. Why aren’t you mortified? Apoplectically apologetic?

            While your explanation of likely outcomes is probably correct, you fail to see the personal angst that has been caused by improper policy. Lots of people worrying about personal stuff because of bad policy. 

            You are the Big Dog and this is how you are going to handle it? Get some ‘big pants’?

            Shoot for the stars and do the right thing.

          • Robert_M_Nelson says:
            0
            0

             The arrogance of the Etruscan is typical of those who run a security apparatus. Erich Honecker told the East German people the same thing. It is time for NASA to stop intruding into the personal lives of others!

    • Jackalope3000 says:
      0
      0

      So if I told my employer that their actions would burn my house down and later they did burn my house down, you would just say that its my fault for not buying more fire insurance?

      • Steve Whitfield says:
        0
        0

        In fact, things are worse than that, because in this case “the employer” (NASA) was responsible for assuring that you had been provided with adequate insurance.

  6. Observe42 says:
    0
    0

    My personal information was also lost (although by a credit card company). They offfered me the same protection of one year monitoring. I took them up on it.
    Three months later when I was applying for a loan (small business loan with a personal guarentee) the bank asked about the monitoring. I had to tell them why I got it.
    I asked my CPA who is helping us put together the loan request and he contacted the bank. He said they consider the risk associated with the loss of the data to not be overcome by the monitoring and that the end result is a negative on the loan application. They would not say how negative. It did not prevent the bank from making the loan. However we did not get very favorable terms based on what the bank called an overall assessment of risks.
    I don’t know how much of factor the visibility to the data theft caused by the monitoring played in my credit assessment by the bank, but it appears to be non-zero.
    I still believe I did the right thing to get the monitoring, but I am very unhappy with the credit card company for offering me the monitoring and not telling me what the consequences of taking their “fix” is.
    My CPA looked into it when it first came up and discussed it whith the bank who was looking to loan us money. The bank said they asked about the monitoring because they suspected it would be related to identity theft (especially because the monitoring company is associated with large scale monitoring implementation for banks and credit card companies as opposed to the companies that advertise on the radio/tv for individuals). According to my CPA, after researching it, it is fairly well known in the industry that this type of monitoring is a red flag for credit and anyone offering it would likely have known that people choosing to implement it will get stuck with this red flag.
    I would assume that the NASA people that put this together are well aware of the risk to the NASA employees they offered this to. If they were aware, I believe they should have disclosed the risk to the employees they provided the offer to. If they were not aware, I think they should move someone into that office that knows what they are doing.

  7. Geoffrey Landis says:
    0
    0

    It’s not as if NASA is particularly unique in this.
    Here’s one last week, just down the road from us: http://www.newsnet5.com/dpp
    and in the last month or two, there’s:
     Massachusetts: http://www.securityweek.com
    California: http://www.scmagazine.com/s
    Beth Israel: http://www.boston.com/white
    Switzerland: http://www.securityweek.com
    Hrartford: http://community.greenviewd
    Oregon: http://www.scmagazine.com/t
    Arizona: http://www.scmagazine.com/p
    Stanford: http://www.scmagazine.com/s
    New York City: http://www.scmagazine.com/c

    So this should just be seen as NASA getting on the bandwagon and adopting the practices already in use by private industry.

  8. TheEtruscan says:
    0
    0

    Dewy, Cheatem & How will sue NASA for you but what are you going to sue for? What are your damages?  What remedy do you seek?

    • kcowing says:
      0
      0

      NASA needs to offer far more than one year’s free services to the affected individuals.

      • dogstar29 says:
        0
        0

        Sounds like a fair exchange. NASA could offer identity protection, which really everyone should have. But in reality there is no evidence the thief made use of (or perhaps even discovered) the PII. No apparent instances of identity theft resulted from the info on the laptop. So there are no actual damages and it would be very difficult to sue.

    • Appmudpie says:
      0
      0

      There are remedies for violations of the Privacy Act. The Act specifically provides civil remedies, 5 U.S.C. Sec. 552a(g), including damages, and criminal penalties, 5 U.S.C. Sec. 552a(i), for violations of the Act. If it was a contractor then their exposure for liability is greater than the government. In general, there needs to be federal legislation that requires notification within 72 hours of lost or stolen PII, and extended liability if that data is used without the owner’s permission.

  9. MBisass says:
    0
    0

    Sounds like NASA KSC investigation.  They could not solve a simple case, but they are awesome at given out speeding tickets and getting involved in HR cases. I can’t believe they still have a SWAT team.  Nothing to defend.  Bunch of “cop want to be’s”.  Want to save millions of dollars at KSC, get rid of all the ridiculas NASA pretend cops, let the contractor do their jobs.  Go get a real education and lets do some real science at KSC instead of spending hours coming up with speed traps.

    • dogstar29 says:
      0
      0

      Real science would require real R&D funding for development of science and technology of practical value here on Earth.

    • Steve Whitfield says:
      0
      0

      MBisass,

      Unfortunately we live in a world of no guarantees.  If you want to get rid of the “cop want to be’s,” that ‘s an opinion you’re entitled to, of course.  I just hope that there are no innocent people in the line of fire should that SWAT Team ever be needed.  If only a few percent of the stupid ideas that show up in movies these days were picked up on by terrorists or crazies, then NASA facilities are almost assured to be involved at some point.  The bigger the machines, the bigger the boom.  Americans should know by now that nobody’s back yard is exempt from danger any more.

      Steve

  10. Amelia Clovis says:
    0
    0

    I hope that everything will be good. I cannot imaging that this problem can get even worse!

  11. citizenkain63 says:
    0
    0

    After Katrina, there was a breach of PII of DOD employees (Navy employees) information and all they did was sign us up for identity theft.  However, this does draw attention to the need to enforce policies already in place to protect PII.   The laptop in question had been waivered from encryption.