Last week, the National Aeronautics and Space Administration (NASA) announced a data breach on October 31 where an employee's laptop computer was stolen from a locked car. The laptop contained the sensitive personal information for about 10,000 employees and contractors.
NASA first notified all of its employees in an e-mail message. The agency has contracted with ID Experts to provide free credit monitoring and fraud resolution services for breach victims. In the e-mail message, the agency warned that it make take up to sixty (60) days to notify all affected persons.
The stolen laptop was password protected, but did not have full disk encryption. As a result of the data breach, the agency has mandated that any laptops removed the its offices contain full disk encryption:
"The Administrator and the Chief Information Officer (CIO) have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. This applies to laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data."
The agency expects to encrypt all laptops by by December 21, 2012 after which any laptops removed from its offices will have all data encrypted, whether or not that laptop contains sensitive information.