December 10, 2011
US space agency Nasa has been left red-faced after selling off computers without ensuring that highly sensitive data had been removed.
An internal investigation found 10 cases where PCs were sold despite them failing to follow data removal procedures.
Another four PCs – which were about to be sold – were found to contain data restricted under arms control rules. The space agency’s internal auditors discovered that its policies for wiping data from PCs used in the Shuttle programme have not always been followed.
They uncovered issues at these four locations: the Kennedy and Johnson Space Centers, and the Ames and Langley Research Centers.
In some cases, tests were not being run to confirm the computers had been wiped.
Investigators also found that some PCs that had failed those verification tests were still being put up for sale.
Their report in to the incidents says its impossible to know what data was left on the sold-off equipment, but analysis of similar equipment “raises serious concerns” for Nasa.
Investigators found four PCs being prepared for sale at the Kennedy Space Center which contained data subject to export control by the International Traffic in Arms Regulations.
They also found dozens of PCs at the Kennedy equipment disposal facility that all had external markings listing network details.
Such details could potentially provide hackers with “unauthorised access to Nasa’s internal computer network”.
Nasa will now review and update its equipment disposals procedures.
It makes you wonder what other companies do not wipe sensitive data, that could potentially open up all sorts of problems. Recycling Your IT, have a data wiping service that will remove all sensitive data from your old computer.