NASA this week informed staffers that a laptop containing their personally identifiable information was stolen from another employee's locked car.
As a result, the space agency is now working to encrypt all employee laptops containing sensitive information.
The theft occurred on 31 October, and included a NASA laptop and official NASA documents issued to an employee who works at the space agency's Washington DC headquarters.
"The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others," stated a notice posted on spaceref.com. "Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals."
NASA did not reveal how many employees the theft might affect, but said it could take up to 60 days to notify all those involved. The agency said it is "thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees."
That includes partnering with ID Experts, a company that specialises in data breaches, to send letters to affected employees. They will have the option to protect their identities at no extra cost through ID Experts.
NASA warned employees not to give out personal information to people who claim - via phone or email - to be NASA staff. "NASA and ID Experts will not be contacting employees to ask for or confirm personal information," NASA said. "If you receive such a communication, please do not provide any personal information."
While this issue is sorted out, NASA has banned employees from removing laptops with sensitive information from its facilities, unless whole disk encryption software is enabled or the sensitive files are individually encrypted. NASA's IT staff has been ordered to encrypt a large number of its laptops by 21 November, and to complete the process by 21 December. It has also ordered workers not to store any sensitive data on smartphones or other mobile devices.
NASA did not immediately respond to a request for comment.
This is not the first time NASA has lost a laptop with sensitive information. In February, Inspector General Paul Martin informed members of Congress that an unencrypted laptop was stolen from NASA in March 2011. It contained codes to control the International Space Station, and was just one of "5,408 computer security incidents [in 2010 and 2011] that resulted in the installation of malicious software on or unauthorised access to [NASA] systems," Martin said.