Nasa suffers data breach after failing to wipe end-of-life PCs

Space agency sells off 10 PCs still containing highly sensitive data

Nasa has been hit by embarrassing revelations that it sold end-of-life PCs that contained top secret data on the Space Shuttle programme.

An internal investigation (PDF) at the US space agency found "significant weaknesses in the sanitisation and disposition processes" at the Kennedy and Johnson Space Centres and Ames and Langley Research Centres, which resulted in 10 computers being released with Nasa information still on the hard drives.

Nasa policy dictates that all machines which have ever stored Nasa information must be "sanitised" before being "reassigned, transferred or discarded".

In other words, they must be scrubbed of data so that it is "impossible or nearly impossible to recover the data previously stored there", the report stated.

However, the investigation found that managers at some sites were not notified when computers failed sanitisation verification testing. On some occasions no verification testing was performed at all, and unapproved sanitisation software was used in some cases.

"In addition, we found computers at the Kennedy disposal facility that were being prepared for sale on which Nasa internet protocol information was prominently displayed," the report said.

"Internet protocol information could provide a hacker with the details needed to target specific Nasa network assets, and exploit weaknesses resulting in the compromise of sensitive information."

Investigators seized a further four computers being prepared for sale that had failed sanitisation verification testing and contained sensitive data.