NASA has revealed that 10 computers used for its space shuttle program were sold to the public without being wiped of sensitive data.
Another computer that was confiscated before it could be sold contained information on space shuttle-related technology, which was subject to export control by the International Traffic in Arms Regulations.
In addition, computers that were being prepared for sale were found at the Kennedy Space Center's disposal facility with NASA's Internet Protocal information prominently displayed, which the investigators said could provide hackers with details they needed to target NASA network assets and exploit weaknesses.
NASA was selling the computers as it prepares to retire the shuttle programme after 38 years, with the final space shuttle flight scheduled for June 2011.
In an internal review, the space agency found that the Kennedy and Johnson Space Centers and the Ames Research Center use software to wipe equipment before disposing of them. Langley Research Center did not require this technology because it removed hard drives prior to disposal. However, the Kennedy centre was the only one that had a testing process in place to verify that disks were wiped, as required by NASA policy.
Nonetheless weaknesses were identified in all four centres' "sanitisation" policies.
For instance, Kennedy, Johnson and Ames were using unapproved wiping software, Langley did not properly account for or track removed hard drives, and Kennedy managers were not notified when computers failed sanitisation verification testing.
It was flaws in the Kennedy centre's verification process that resulted in the sale, and near sale, of the computers still containing sensitive data.
"This occurred because NASA managers are not adequately overseeing sanitisation and disposition processes," the space agency's office of inspector general said in its report, 'Preparing for the space shuttle program's retirement: A review of NASA's disposition of information technology equipment."
"NASA's sanitisation policies are incomplete and responsible personnel did not consistently follow or were unaware of applicable policy."
The independent investigators have recommended NASA's CIO carry out further reviews, take remedial actions and share best practices.