A recent internal audit at NASA, the U.S. space agency, found significant weakness in the way the agency disposes of IT equipment, including evidence that used hard drives containing sensitive NASA data may have been sold to the public on the secondhand market.
The audit focused on the Johnson and Kennedy Space Centers and the Ames and Langley Research Centers. IT comes amidst growing concerns over data protection that stem from recent, high profile U.S. government data breaches. The audit was concerned with the disposition of shuttle-related IT equipment containing sensitive information pertaining to space shuttle operations and maintenance. NASA is preparing to retire its Space Shuttle Program after 38 years and more than 130 missions.
According to NASA Procedural Requirements, any electronic storage device that has ever contained NASA information must be sanitized before being reassigned, transferred, or discarded. Sanitation requires removal of any data by overwriting, degaussing, and/or destruction of the device so that data is nearly or completely impossible to recover. It is a further requirement that these devices be tested to determine the effectiveness of their sanitation.
The audit discovered that the Johnson and Ames Research Centers neglected to run sanitation verification tests. Furthermore, managers at the Kennedy Space Center were not being notified when devices failed the sanitation verification tests. The sanitation software used by Ames, Kennedy, and Johnson was unapproved, according to the report.
In addition to leaking raw data from the Space Agency, the audit found that NASA was selling computers on which NASA proprietary protocol information was prominently displayed. Such information, while not sensitive in itself, could be used to target specific NASA network assets and exploit weaknesses, resulting in the compromise of sensitive information.The audit noted that while many hard-drives passed the sanitation verification test and were sold; there was not an adequate process by which to track these drives. It also determined that certain devices were being sold despite failing sanitation verification tests and that sensitive NASA data was released as a result.
NASA did not reply to a Threatpost request for comment prior to publication.
Data breaches that come by way of data being improperly stored on government computers are hardly new. Famously, in 2006, an analyst working for the Department of Veterans Affairs lost a laptop containing personal information on 26.5 million veterans. Reports about that incident cited the lack of internal controls to prevent reckless copying and better user education to stem insecure practices.
For more information consult the complete NASA audit.