How the Breach Occurred
NASA regularly decommissions and auctions old equipment as a cost-saving measure. During a routine inspection, it was discovered that hard drives containing sensitive information had been sold without proper wiping. Some drives were purchased by members of the public and still contained recoverable data. NASA's Office of Inspector General (OIG) initiated a broader investigation into the agency's IT asset disposal practices.
The Aftermath and Investigations
NASA had to track down the sold equipment and recover as many compromised hard drives as possible. In response, NASA was forced to overhaul its data disposal processes, implementing more stringent policies requiring all hard drives to be wiped using certified erasure software or physically destroyed before being auctioned off.
Key Lessons Learned
- Physical Destruction Is the Gold Standard: The most secure way to ensure sensitive information cannot be recovered is through physical destruction.
- Stringent Oversight of Asset Disposal: Organisations must have strict policies and oversight for IT asset disposal.
- Auditing and Continuous Monitoring: Regular audits are crucial for identifying potential risks or lapses in security protocols.
- The Dangers of Legacy Equipment: Even outdated hardware can contain valuable or sensitive data.
Conclusion
NASA's 2009 data breach was a wake-up call for government agencies and private companies alike. NTERA specialises in physical destruction of data. Our on-site, low-emission solutions eliminate the chain of custody risk, and all materials are recycled in Europe to recover critical raw materials.