Lawsuit possible in NASA laptop theft

NASA contractors say breach confirms fears outlined in lawsuit rejected by U.S. Supreme Court last year

A group of current and former contractors at NASA's Jet Propulsion Laboratory (JPL) may file a lawsuit due to the possible exposure of personal information stored on an agency laptop stolen last month from a locked car, their lawyer said Wednesday.

The laptop, stolen on Oct. 31, stored the personal data of some10,000 NASA employees and contractors.

Some members of the group were part of a lawsuit filed against NASA five years ago over what they claimed were overly intrusive background checks the agency was conducting in connection with a mandatory federal smart card credentialing program.

At that time, the group contended that the data being collected by NASA was highly personal. They had expressed concern over NASA's ability to protect their private data.

The case went all the way to the Supreme Court, which last year ruled that NASA was within its rights to conduct such checks as a condition of employment.

All of those involved that suit were contractors working as senior scientists and engineers at JPL in Pasadena, Calif. The facilty is staffed and managed for NASA by the California Institute of Technology.

The Oct. 31 theft of an unencrypted agency laptop from the locked car of a teleworking NASA employee validates the privacy concerns raised in the earlier lawsuit, said Dan Stormer, a lawyer with Hadsell, Stormer, Richardson & Renick, LLC, the firm representing the group.

According to NASA, the stolen laptop contained unencrypted Social Security Numbers, dates of birth, birthplace information and other data. The laptop also stored "sensitive information" gathered as part of background investigations, NASA acknowledged.

"NASA's handling of the data was in direct violation of the Privacy Act," Stormer said. "They violated the right to privacy by releasing confidential information."

The Supreme Court's ruling in favor of NASA last year noted the private data being collected by NASA would be adequately protected under the provisions of the Privacy Act, Stormer said.

"Clearly in light of NASA's cavalier disregard for the privacy right of others," Stormer said, that did not happen.

Stormer said the group is considering whether to file a class-action suit against NASA over the recent breach, alleging negligence and violations of the Privacy Act.

Former NASA scientist Robert Nelson, who worked as a NASA astronomer for 34 years and was a senior member of the Cassini Orbiter team, said his data was compromised in the recent breach.

"The issue is how did this happen?" Nelson said in an interview with Computerworld. "When we sued them five years ago, one of the arguments we made was that we didn't believe NASA was capable enough to protect our data. When we lost our lawsuit they went ahead and completed those investigations." he said.

"What would be useful to figure out is how NASA, after all this scrutiny, was so incredibly incompetent to allow this to happen," said Nelson, who left NASA earlier this year.

In a press conference on Wednesday, Nelson and other JPL workers called on Congress to investigate the computer theft and NASA's data collection practices.

"Six years ago I and my colleagues at JPL were ordered by NASA to submit to background investigations of unlimited scope into the most intimate details of our private lives," Nelson noted in a statement. He said the data was collected from schools, residential management agents, retail businesses, employers and others .

"We warned of this possibility five years ago when we filed our lawsuit. We were ignored by the courts. Now, unfortunately, by virtue of the cavalier behavior of a NASA bureaucrat our argument has been proven," Nelson said.

In a letter addressed to several lawmakers, Nelson reiterated the concerns he had raised in the 2007 lawsuit, and asked Congress to intervene.

Rep. Adam Schiff (D-Calif.), one of lawmakers to whom the letter was addressed, today expressed concern over the breach.

"During hearings before the House Science Committee last spring, there was testimony on the slow pace of IT security upgrades at NASA," Schiff said in a statement.

"As a member of the Appropriations subcommittee that oversees and funds NASA, I will be calling on the agency to report on and accelerate its efforts to maintain data security. The low-tech theft of a laptop is troubling enough, but it only scratches the surface of potentially far greater data vulnerabilities,'" Schiff noted.

NASA spokesman Bob Jacobs today said the agency understand the concerns employee concerns and regrets the inconvenience the theft has caused. "We regret that it happened and we are taking steps to ensure that it never happens again," he said.

An agency-wide full disk encryption initiative that NASA launched in the immediate aftermath of the October 31 is making solid progress, Jacobs said.

So far about 80% of NASA computers containing sensitive data have been encrypted, he said. All affected NASA computers should be encrypted by the Dec. 21 deadline, Jacobs added.

Teleworkers will no longer be allowed to take unencrypted laptops outside NASA facilities, he said.

Jacobs noted that the stolen laptop was not supposed to be taken from the JPL facilities. "That is one of the things we regret the most. That laptop was not supposed to leave the building," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gov't Legislation/RegulationNASAsecurityregulationlegalCalifornia Institute of Technologygovernment

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts