NASA officials this week revealed tens of thousands more personnel files than originally reported were lost after a password-protected but unencrypted laptop computer was stolen from a parked car in Washington, D.C., on Halloween night.
By mid-November, NASA had determined that the files of approximately 10,000 past and present agency employees were contained in the stolen computer, an admission that sparked calls for a congressional investigation by outraged members of a class-action lawsuit filed against NASA by employees of Jet Propulsion Laboratory (JPL), located in Pasadena, Calif., and managed for NASA by the nearby California Institute of Technology, Caltech.
The breach, which NASA says is still under investigation, now includes the loss of up to 40,000 employee files, The Progressive has learned.
The computer was taken roughly two years after the U.S. Supreme Court ruled 8-0 against the scientists, engineers and administrative workers contracted by NASA through Caltech, finding NASA had the right to seek out highly personal background information about all federal employees under provisions of Homeland Security Presidential Directive #12, or HSPD-12, recommended by the 9/11 Commission and issued by President George W. Bush in 2004.
In its final ruling presented on January 19, 2011, the Supreme Court found that the government's demand for background information did not impinge upon JPL employees' right to informational privacy. Indeed, the court found, "The Government has an interest in conducting basic background checks in order to ensure the security of its facilities and to employ a competent, reliable workforce to carry out the people's business. The interest is not diminished by the fact that respondents are contract employees. There are no meaningful distinctions in the duties of NASA's civil-service and contractor employees, especially at JPL, where contract employees do work that is critical to NASA's mission and that is funded with a multibillion dollar taxpayer investment."
Bush's directive requires all civil servants and contract employees -- in NASA's case, everyone from cooks in the cafeteria to scientists working on truly amazing but nonetheless non-classified, non-military intergalactic projects -- to acquire and show a common employee badge after submitting to background investigations. Informational privacy advocates contend those probes could -- and often do -- include invasive, clandestine inquiries into criminal pasts; sexual preferences; medical, psychiatric and drug-use histories; academic records; spending habits; and any other subject investigators decide to ask about. Although considered "voluntary," workers at JPL were told they would be fired if they refused to comply.
The 28 plaintiffs, led by Dr. Robert Nelson, a retired solar systems scientist who had been with JPL for 34 years, claimed that the government had no need to possess such intimate and potentially sensitive private information for its contract hiring purposes. Further, Nelson presciently pointed out, NASA would be incapable of adequately protecting those files if it had them. The recent revelations related to last fall's laptop theft in Washington have only bolstered those beliefs.
"We are demanding that they tell us exactly what they think they lost," Nelson told The Progressive soon after hearing the latest news on the Halloween laptop breach.
For Nelson and others involved in the case, the fight over HSPD-12 didn't end with the Supreme Court's ruling. In early March, attorneys are expected to respond to a National Labor Relations Board (NLRB) ruling that Caltech and JPL violated the labor rights of Nelson and four other scientists -- among them 18-year JPL employee Scott Maxwell, the "driver" of the Mars rover Curiosity, who now works at Google -- by issuing them discipline citations in relation to the ruling. Two such citations could result in dismissal. Nelson and his colleagues were accused of using a government email address to send messages about the legal ramifications of the ruling to fellow NASA workers. One was sent by Nelson on Jan. 21, 2011, two days after the ruling. Another email was then sent by Maxwell, flight engineer Dennis Byrnes, and engineer Larry D'Addario on Jan. 27, and another email was sent by Byrnes on April 6, according to the complaint.
"Obviously, we're optimistic, and we're not unbiased, but we think the judge will rule in our favor, and we have reason to expect Caltech will also appeal that ruling. So that's the next step," said Byrnes, who, like the others, is a co-litigant in the Supreme Court case, NASA, et al. v. Nelson, et al.
In a Feb. 1 email addressed to Byrnes, Kelly M. Carter, Breach Response Team Lead for NASA in Washington, writes that the agency learned of more stolen personnel files in mid-January, and has been "working non-stop since day 1 of the breach to analyze the backup file and identify individuals whose information was contained in it."
For the most part, Carter writes, the recently discovered files "were from the NCRS [Name Check Request System] that pre-dated HSPD-12. The format of some of the data, which included names, some SSNs [Social Security numbers], and some dates of birth was not conducive to automated searches and that's why it was not found earlier in the process."
All told, Carter wrote, "The 18,000 [additional] individuals include current and former NASA civil servants and contractors from all NASA centers; approximately 3,500 of them were from JPL." Carter declined to talk about the investigation, referring all comment to NASA's media relations department.
To date, 40,000 people, both retired and working at agency locations around the country, have been notified about the Halloween computer theft, said NASA spokesman Allard Beutel.
"We wanted to cast the widest net possible to make sure that we contacted anyone who possibly could be affected by this. We've sent letters to approximately 40,000 people, offering identity protection and credit monitoring." So far, said Beutel, whose own personal background-checked information was contained on the stolen laptop, "We have absolutely no indication at all that anyone's personal information has been compromised."
The investigation of the breach remains ongoing, he said.
Some of the additional files contained on the stolen computer included less inclusive NCRS data dating back at least six years. But, Carter writes to Byrnes, "Information provided by individuals to obtain access to NASA facilities, in response to HSPD-12 or other requirements, was on the stolen laptop."
"They are not saying who lost the laptop. That's a personnel item. They won't say who it was, and we have no idea," Byrnes said. "But why an individual would have on their work laptop at NASA headquarters 40,000 people's personal identification information ... why they would be carrying that around is certainly a mystery."
NASA has had a number of problems in recent tears with keeping data secure. In 2007 and 2008, the Government Accountability Office (GAO) said the space agency had reported 1,120 "security incidents," according to a 2009 story in The New York Times. The GAO report also revealed that in 2009 an unnamed NASA center reported the theft of a laptop containing about 3,000 unencrypted files on arms traffic regulations and wind tunnel tests for a supersonic jet. NASA was eventually required to encrypt its computers, according to The Times, but not all of the agency's 38,000 laptops had been refitted by the time of the Halloween theft.
Nelson, who served as a co-investigator on NASA's Voyager Grand Tour of the Solar System, and was the project scientist for its Deep Space 1 mission, said he and his fellow litigants warned of the possibility of such a breach when they first filed their lawsuit in U.S. District Court in Los Angeles in August 2007.
"We were ignored by the courts," Nelson said. "Now, unfortunately, by virtue of the cavalier behavior of a NASA bureaucrat, our argument has been proven. Our nightmare of five years ago has become a reality."