Improper Decommissioning

NASA Data Disposal Incident: A Case of Improper Decommissioning in 2009

In 2009, NASA, the U.S. government’s space exploration agency, faced a significant data breach resulting from the improper sanitization of decommissioned IT equipment. The breach, which was discovered during an internal audit, exposed sensitive information stored on old computer hard drives that were auctioned off to the public. NASA had failed to properly wipe the hard drives before they were sold, creating a risk of national security breaches and the exposure of confidential space shuttle design data.

How the Breach Occurred

NASA regularly decommissions and auctions off old equipment as part of its cost-saving efforts. However, during a routine inspection, it was discovered that hard drives containing sensitive information—including space shuttle design documents and internal NASA communications—had been sold without proper sanitization. Some of these hard drives were purchased by members of the public and, alarmingly, still contained recoverable data.

The discovery led NASA’s Office of Inspector General (OIG) to initiate a broader investigation into the agency’s IT asset disposal practices. The investigation found that NASA had auctioned off several computers, laptops, and hard drives with sensitive data still intact. This oversight was particularly concerning given the nature of the agency’s work, which often involves classified government projects and sensitive research.

The Aftermath and Investigations

Following the discovery, NASA had to track down the sold equipment and recover as many of the compromised hard drives as possible. The agency also worked with law enforcement to ensure that no sensitive information was leaked or exploited by bad actors. However, given the widespread public auctioning of these devices, some of the hard drives may never have been recovered, leaving open the possibility of data exposure.

In response, NASA was forced to overhaul its data disposal and decommissioning processes. The agency implemented more stringent policies requiring that all hard drives and data storage devices be wiped using certified erasure software or physically destroyed before they are auctioned off or disposed of.

Key Lessons Learned

NASA’s 2009 data breach highlights several important lessons that extend beyond government organizations to the broader public and private sectors:

1. Physical Destruction Is the Gold Standard: While data wiping software is often considered sufficient, the most secure way to ensure that sensitive information cannot be recovered is through physical destruction of hard drives and other storage devices. This includes methods such as degaussing or shredding, which make it impossible for data to be reconstructed.

2. Stringent Oversight of Asset Disposal: Organizations that handle sensitive data must have strict policies and oversight for IT asset disposal. In NASA’s case, a failure to implement proper checks led to a critical lapse in data security. Any organization that deals with classified or sensitive information must ensure that equipment is handled securely until it is destroyed or decommissioned.

3. Auditing and Continuous Monitoring: NASA’s data breach was uncovered during a routine audit. Regular audits are crucial for identifying potential risks or lapses in security protocols. Organizations should routinely review their IT asset management practices to ensure compliance with data protection standards.

4. The Dangers of Legacy Equipment: As organizations upgrade their technology, legacy equipment is often discarded or sold. However, even outdated hardware can contain valuable or sensitive data. Ensuring that old equipment is properly sanitized or destroyed before leaving the organization is critical to avoiding accidental data breaches.

Conclusion: Protecting Data During Disposal

NASA’s 2009 data breach was a wake-up call for government agencies and private companies alike. The incident showed that even seemingly routine activities like auctioning off old hardware could pose significant risks if proper data sanitization practices are not followed. In NASA’s case, the potential exposure of sensitive space shuttle design data could have had serious national security implications. The lesson is clear: physical destruction of sensitive media should always be prioritized over simple data wiping, especially when dealing with classified or sensitive information.

NTERA specializes in physical destruction of data. Our on-site, low-emission solutions eliminate the chain of custody risk. Following physical destruction of media on-site, all materials are recycled in Europe to recover critical raw materials for re-use in European industry.

Sources:

1. NASA Office of Inspector General Report on IT Asset Management

   https://oig.nasa.gov/audits/reports/FY10/IG-10-013.pdf

2. CNN Report on NASA’s Data Breach

   http://www.cnn.com/2009/TECH/03/18/nasa.computers.breach/

3. NASA Data Breach Overview by InformationWeek

   https://www.informationweek.com/government/nasa-failed-to-wipe-data-off-hard-drives-sold-in-auction/d/d-id/1082275

Image: