NASA sells computers without erasing sensitive data

As part of an effort to shed excess property as the space shuttle program winds down, NASA sold off 10 computers without first making sure highly sensitive data had been removed, an internal audit has found.

"The weaknesses we identified in NASA's [information technology] sanitization policy and procedures put NASA at risk of releasing sensitive information that could cause harm to its mission and violate federal laws and regulations that protect such information," said the audit, which the agency's Inspector General Paul K. Martin released earlier this week.

NASA is required to remove information from electronic storage devices before selling, transferring or discarding them. During the sanitization process, the data can be overwritten or destroyed. Officials must double-check their work by attempting to access and recover the information they erased.

But the IG uncovered holes in these procedures at four NASA centers. At the Kennedy Space Center in Florida, managers were not notified when computers failed sanitization verification testing, auditors found. And at the Johnson Space Center in Texas and the Ames Research Center in California, officials were not conducting any tests. The Langley Research Center in Virginia destroyed hard drives before selling equipment, but personnel didn't properly account for or track the removed hard drives.

Given the type of work performed on the computers, the sales raise "serious concerns about the information that may have remained," the IG added. The agency was on the verge of selling an additional four computers with sensitive information, including one that contained data restricted under arms control rules, the report said.

Computers being prepared for sale at Kennedy still had NASA Internet protocol information prominently displayed, according to the IG. That information "could provide a hacker with the details needed to target specific NASA network assets and exploit weaknesses, resulting in the compromise of sensitive information," the report said.

Furthermore, auditors said they were concerned NASA stored hard drives removed from excess computers at Kennedy in an unsecured dumpster accessible to the public.

Due to the urgency of the situation, the inspector general alerted NASA's chief information officer to the findings quickly and separately from a more detailed review of the disposition of shuttle-related property. CIO Linda Y. Cureton said officials would update policies on sanitizing computers and properly removing software and write a new employee handbook by July 2011.

But the IG said the plan did not go far enough. "Overall, we do not consider the proposed actions to be responsive to our recommendations," the report stated. "Moreover, we are troubled that management's response does not reflect the sense of urgency we believe is required."

NASA did not respond to a request for comment.