In an agency-wide post published on the SpaceRef website, NASA’s associate deputy administrator, Richard J Keegan Jr, wrote that the laptop, along with official company documents, was stolen from an employee’s locked vehicle on 21 October.
"All employees should be aware of any phone calls, emails, and other communications from individuals claiming to be from NASA or other official sources that ask for personal information or verification of it," wrote Keegan Jr.
"NASA and ID Experts will not be contacting employees to ask for or confirm personal information. If you receive such a communication, please do not provide any personal information," he wrote.
While the machine was password protected, the disk was partially unencrypted, making it potentially susceptible to hackers, Keegan Jr said.
The space agency revealed that it has contracted ID Experts, a data breach specialist, to send warning letters to individuals containing information on how to protect their identity using the company’s fully managed services free of charge.
However, NASA warned that because of the amount of information that must be reviewed and validated electronically and manually, it may take up to 60 days for all individuals affected by this breach to be identified and contacted.
"These services will include a call centre and website, credit and identity monitoring, recovery services in cases of identity compromise, an insurance reimbursement policy, educational materials, and access to fraud resolution representatives," wrote Keegan Jr. "If you receive a notification letter in the mail, follow the directions to activate your services as soon as possible."
NASA said it has taken immediate action to prevent future occurrences of PII data loss by banning the removal of unencrypted issued laptops containing sensitive information from its facilities.
Charles Bolden, NASA’s chief administrator, has called for the space agency to fully encrypt all of its laptops by 21 December.
Bolden also banned the storage of sensitive files on smartphones or mobile devices and ordered files no longer required for immediate work needs to be purged from laptop devices, adding that such files can be maintained on shared drives for records retention purposes if necessary.