View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 15, 2012

NASA cracks down on laptop security following latest data leak

All laptops are to be encrypted... but is that enough?

By Steve Evans


US space agency NASA has ordered a crack down on laptop security after one containing sensitive information went missing.

The organisation has ordered all laptops be encrypted and until that process is complete none are to leave its facilities.

The most recent breach occurred at the end of October, when a laptop containing sensitive information was stolen from an employee’s car parked at its Washington DC office. The laptop was password protected but the data was not encrypted.

Information contained on the device was "sensitive personally identifiable information," according to the BBC, but no further details were given. However it seems a significant number of people were impacted by the theft. According to the SpaceRef website, NASA has warned workers to be on the guard against bogus calls from people with stolen NASA credentials.

Warning that a "large" number of people were at risk, NASA sent a memo to employees saying: "NASA has contracted with a data breach specialist, ID Experts, who will be sending letters to affected individuals, informing them that their sensitive PII was stored on the stolen laptop and they could be impacted by the breach."

"All employees should be aware of any phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it. NASA and ID Experts will not be contacting employees to ask for or confirm personal information. If you receive such a communication, please do not provide any personal information," the memo added.

It could take up to two months to notify all affected individuals, NASA said.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

This incident is the latest in a long line of security failures at the agency and it is now taking steps to improve its security procedures. No NASA-issued laptops can be taken out of the organisation’s facilities unless it has full disk encryption or each sensitive file is individually encrypted.

The company has given itself a deadline of December 21st to complete the encryption process. Any laptops not protected by then will be removed from service, NASA said.

However some in the security industry have questioned whether encrypting the laptops goes far enough. Mark Bower, data protection expert and VP at Voltage Security, said encrypting hard drives solves only "a fraction" of data breach risk.

"Data moves to and from laptops – in emails, files, and as data to and from applications and servers. So while encrypting a laptop might be a first reaction, with attackers going after data in flight and the risk of accidental breach through multiple channels (whether its data at rest, in use or in motion), wherever there’s a security gap with data in the clear, it’s vulnerable to compromise," Bower said.

The issue with just encryption is that sensitive files do not just reside on a hard drive; they may be on a mail server as well, therefore accessible from a smartphone or web browser, Bower said.

"Then it might also be on backup tapes, and in the IT systems and networks accessible to more than just the intended recipients – such as internal IT or outsourced operations, and anyone sniffing the network," he added. "If that data happened to be shared as a file among employees and contractors, then it’s going to propagate to a lot of places beyond the laptop."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU