Data Loss: Agencywide Message to All NASA Employees: Breach of Personally Identifiable Information (PII)

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.spaceref.com/news/viewsr.html?pid=42609

Source: NASA HQ
Posted Tuesday, November 13, 2012

From: HQ-NASA INC [mailto:hq-nasa-inc (at) nasa.gov]
Sent: Tuesday, November 13, 2012 2:30 PM
Subject: Breach of Personally Identifiable Information (PII)

AGENCYWIDE MESSAGE TO ALL NASA EMPLOYEES

Point of Contact: Kelly M. Carter, Information Technology and 
Communications Division, NASA Headquarters, kelly.carter (at) nasa.gov

Message from the Associate Deputy Administrator:

Breach of Personally Identifiable Information (PII)

On October 31, 2012, a NASA laptop and official NASA documents issued to a 
Headquarters employee were stolen from the employee's locked vehicle. The 
laptop contained records of sensitive personally identifiable information 
(PII) for a large number of NASA employees, contractors, and others. 
Although the laptop was password protected, it did not have whole disk 
encryption software, which means the information on the laptop could be 
accessible to unauthorized individuals. We are thoroughly assessing and 
investigating the incident, and taking every possible action to mitigate 
the risk of harm or inconvenience to affected employees.

NASA has contracted with a data breach specialist, ID Experts, who will be 
sending letters to affected individuals, informing them that their 
sensitive PII was stored on the stolen laptop and they could be impacted 
by the breach. This notification also will provide them information on how 
to protect their identity using the fully managed services of ID Experts 
at no cost to the individual. These services will include a call center 
and website, credit and identity monitoring, recovery services in cases of 
identity compromise, an insurance reimbursement policy, educational 
materials, and access to fraud resolution representatives. If you receive 
a notification letter in the mail, follow the directions to activate your 
services as soon as possible.

All employees should be aware of any phone calls, emails, and other 
communications from individuals claiming to be from NASA or other official 
sources that ask for personal information or verification of it. NASA and 
ID Experts will not be contacting employees to ask for or confirm personal 
information. If you receive such a communication, please do not provide 
any personal information.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.