ITAD Employee Steals, Resells Devices: What Went Wrong

A driver for an IT asset disposition company that operates globally pled guilty in December to stealing and reselling assets collected for destruction from government offices and other clients. These assets were then sold to various electronics resellers in the Washington, D.C. area. The employee was arrested after agents found electronics being resold with the asset tags still on them. They were able to track back the assets to the government agencies that provided them for destruction—that had received certificates of their destruction.

IT leaders and ITAD providers alike are left wondering what went wrong and how do they prevent it from happening in their own organizations.

The employee, Nikhil Parekh, 37, of Randallstown, Maryland, along with at least one other employee, agreed to take devices they were tasked with destroying and resell them to electronics resellers in DC and in Virginia. These devices include cell phones, tablets, laptops, and other electronic devices. Several of the ITAD provider’s clients were affected, but not all of the victims are known. Because the inspector general of USAID was investigating as well, some speculate that it was among the victims. The thefts took place from approximately July 2022 to August 2023, and hundreds of assets worth at least $10,000 were stolen and sold.

The assets were slated for destruction under NIST 800-88 which suggests that they had negligible resell value, but given that many of these devices were government laptops, it is also likely that they had sensitive information on them that had to be destroyed—not wiped.

Under most ITAD processes, devices are not wiped before transit, especially when they are meant to be destroyed. Because the devices were not wiped, sensitive information was exposed when the devices were sold. At least one device was still connected to government cloud computing software. Text messages between Parekh and the operator of one of the shops suggest that the device was sold for parts out of an abundance of caution, meaning that data theft was not the end goal.

The theft of devices took place between 2022-2023, and court documents suggest that the ITAD provider might not have been aware that hundreds of devices were going missing. So how did they do it?

Good ITAD providers—and the ITAD provider in this case was well-known and reputable—have a chain of custody to ensure their devices are not tampered with in transit. The gap in security that it failed to take into account was internal risk.

Because the devices were stolen by the delivery drivers, there was technically no unauthorized access. However, there are several ways that the thefts could have been detected.

There were instances when the devices were taken directly from the client site to be resold, and in other instances, the devices made it back to the facility but were taken aside to be sold later. By using GPS enabled shipping, these unauthorized stops may have been detected.

While location tracking would not detect the theft of equipment stolen after it reached the facility, a detailed audit plan would have provided another layer of protection. Devices should be scanned before they are loaded onto the truck. Photographs to confirm the load should be taken, and they should be taken again when the truck reaches the facility. Devices should then be audited for a second time when they come off of the truck, and any discrepancies should be addressed as soon as possible. These photographs and audit records should be available for the client to compare to their own lists.

Once devices are in the building, surveillance should be more extensive, both from cameras at entry and exit points, and from other workers. This case is so shocking because the clients did everything right. The most dangerous threats to an organization’s cybersecurity are internal.

ITAD providers across the country—and around the world—are going to be analyzing this case to attempt to close some gaps in their own ITAD processes—particularly in transit. GPS Tracking will become more popular, and auditing will become more strenuous to make sure devices slated for destruction are actually destroyed.

As for the ITAD employee, he faces a maximum sentence of five years in prison and a fine of $250,000 according to the U.S. Attorney’s Office. Because of his plea agreement, his home will be searched for digital devices, which will be seized, and he will pay $10,000 in restitution. He will be sentenced in May. His co-conspirators are unindicted.

It’s terrifying to think that you can do everything right and still have an ITAD breach. CentricsIT offers on-site device destruction and wiping for organizations that need an additional level of security. We also provide GPS trackers to be added to each load by the client so that assets can be tracked in real time—alerting all involved parties of unauthorized stops. CentricsIT technicians also audit all equipment coming off the truck to ensure that nothing is missing and that discrepancies are addressed as soon as possible.

CentricsIT is a leading provider of ITAD solutions in the United States with more than 18 years of experience, offering sustainable and secure ITAD services. Our team prioritizes customer service and making the ITAD process as simple—and secure—as possible. We maintain multiple certifications, including ISO 9001, ISO 14001, ISO 45001 and R2v3 to demonstrate our commitment to our clients, their data and the environment. Contact us today to learn more about how our enterprise data erasure services can help protect your business from potential data risks while ensuring regulatory compliance and sustainability.