How to Secure Government IT Asset Disposition: Lessons from US Agency ITAD Theft

U.S. government IT asset managers, CISOs, and contractors often dispose of data storage media due to project completions, tech upgrades, and expired retention periods. Shredding data storage media seems a bulletproof way to protect data on those used devices.

But is it?

A recent theft of government IT assets highlights weaknesses too critical to ignore.

Maurice Uenuma As Blancco VP and GM for the Americas, Maurice works with an interdisciplinary team to address privacy, security, and sustainability needs of government agencies, enterprises, and device processors. His insights have appeared in Dark Reading, Help Net Security, C4ISRNet, and other industry publications. He’s also held leadership positions at multiple global tech companies and served as workforce management co-chair of NIST's National Initiative for Cybersecurity Education (NICE) Working Group. A U.S. Naval Academy graduate with nine years in the U.S. Marines, Maurice has a master’s in National Security Studies and is a GIAC-certified Global Industrial Cyber Security Professional (GICSP).

In this article

• Government IT and storage devices stolen, offered for resale
• Security gaps in government media destruction processes
• Even onsite drive shredding has risks
• The importance of tamper-proof destruction certificates
• Reinforcing security at the point of decommissioning
• How Blancco protects data even before media destruction
• Conclusion

Government IT and storage devices stolen, offered for resale

In sobering news for data security teams and IT asset managers, Resource Recycling and the U.S. Attorney’s Office reported that a former ITAD driver confessed to stealing and reselling hundreds of U.S. government devices bound for destruction.

Court documents explain how he and his cohorts stole IT assets worth thousands during ITAD jobs. They offered the stolen equipment to resellers, providing fake proof of secure data wiping and destruction to unsuspecting buyers.

This failure is not due to agencies outsourcing IT asset disposition (ITAD) services. Many IT asset disposition vendors (ITADs) partner with Blancco. They employ highly rigorous security measures and many offer onsite data erasure to mitigate against drive loss or theft.

Instead, this scenario highlights the need to reduce process vulnerabilities that malicious actors can exploit, namely, risks during handling and transit—often referred to as “chain of custody” risks.

Addressing these vulnerabilities is critical as you evaluate the asset disposition practices at your organization.

Security gaps in government media destruction processes

This ITAD theft exposes chain of custody gaps common to media destruction workflows, including within federal IT asset destruction processes.

These “soft spots” create the risk of data-laden equipment finding their way into the wrong hands.

Court records reveal that Nikhil Parekh, a former ITAD employee in the Washington, D.C. area, exploited weak chain of custody controls to divert IT assets meant for destruction. Some stolen devices were still linked to government cloud systems.

“From 2022 to 2023, Parekh and his unindicted co-conspirators served as drivers for the company and were generally responsible for receiving the IT assets from the victim agencies and companies and either securely shredding them on site or delivering them to secure shredding facilities owned by the company. Instead, however… he and others would surreptitiously remove the IT assets after receiving them and transport them to electronics re-sellers in the area for their own accounts.”

— U.S. Attorney’s Office, District of Columbia, Guilty Plea in Theft and Sale of Hundreds of Government-Issued Phones and Computers Slated for Destruction

This federal IT theft raises important questions about how organizations protect data on end-of-life IT assets.

In addition, leading government and industry organizations require a destruction certificate to confirm that data has been rendered unrecoverable (sanitized) when retiring IT assets. A certificate is required whether assets are physically destroyed or data is eliminated using software solutions. Both processes can and should be verified before a certificate is issued, and the certificate itself must meet certain criteria.

These verification and certification steps are crucial, and, as in this case, poor oversight or lack of rigorous verification in these areas can also be exploited.

Even onsite drive shredding has risks

Once disconnected or decommissioned, many organizations store devices in a locked area to await final disposition. Once the agency accumulates enough end-of-life devices, contracted service providers securely transport the load to an offsite facility for software-based data sanitization, physical drive destruction, or both.

The process can break down easily. This happens when storage areas or transportation services are not secure. It can also fail if inventory processes do not track all devices. Even trusted service providers can cause issues if they hire unqualified drivers or bad operators for transportation.

Even onsite destruction can’t guarantee data security when these chain of custody gaps exist.

That’s because anyone with access to government data storage media presents an opportunity for loss or theft. This can include insider threats from employees or government contractors or rogue actors working for external third parties.

In this instance, the ITAD’s drivers took assets directly from pallets meant for onsite shredding. These included laptops, smartphones, servers, cameras, monitors, printers, scanners, and video-teleconference phones. The result? A blatant breach of what should have been a secure asset disposition process.

This chain of custody failure underscores why complete and permanent data erasure—at the point of decommissioning—should be non-negotiable for any organization dealing with sensitive data. If devices are lost or stolen, organization IT leaders can rest secure in the knowledge that the data on those devices is already permanently eliminated—and had been before assets ever changed hands. 

The importance of tamper-proof destruction certificates

It’s unclear whether the stolen electronics retained any agency data when presented to the reseller. We do know that agreements with some customers included data wiping in addition to physical shredding.

But that’s why one of the most troubling aspects of Parekh’s thievery is his use of falsified destruction certificates. These fake data destruction certificates wrongly assured customers the ITAD had wiped and destroyed their assets.

In reality, Parekh and his co-conspirators were profiting from fully intact, functional government data storage media. If organizations did not verify sanitization beforehand, agency data could have passed unprotected into the secondary device market. The personal information of citizens or employees could also have been at risk.

Erasing data on drives and devices in-house, before sending assets for destruction, can virtually eliminate this risk.

Even with malicious actors involved, properly erased data cannot be stolen, leaked, or accessed. Requiring tamper-proof, digitally signed erasure certificates to verify that sanitization has occurred provides auditable confirmation that assets are data-free and secure.

However, that confidence depends on verification processes and the strength of the erasure certification.

As we’ve outlined before, an effective data erasure certificate must be immutable, cryptographically signed, and verifiable through an auditable chain of custody.

Bad actors can easily manipulate traditional paper-based certificates. A digital, blockchain-secured record ensures that media sanitization claims are legitimate and trackable. Had the agency or the ITAD used such a system during the asset disposal process, they could have detected discrepancies early.

“After pocketing the profits, Parekh and others would then cause the company to issue certificates to the victim agencies and companies certifying that the IT assets had been wiped and destroyed. Parekh admitted that as part of this conspiracy he and others took hundreds of assets with a value of at least $10,000.”

U.S. Attorney’s Office

Reinforcing federal IT asset disposition security from the point of decommissioning

This case is a clear warning to government agency IT departments as they evaluate IT asset disposal. Relying only on physical drive destruction and vendor claims is risky.

To mitigate this risk, IT asset managers, infrastructure leads, and CISOs at any organization should include the following in their federal ITAD management:

• Insist on automated, on-premises data erasure for every device, even if you plan to destroy those devices. The right software can automatically launch erasure as part of the decommissioning process, even from a remote location. That means data can be eradicated before any drive is removed from a server rack, any device is unplugged, or any asset is disconnected from the network. This renders electronic devices data free at the earliest point in the process, protecting against future unauthorized access.
• Audit or require proof of independent audits for any ITAD vendor. You’ll want to check:
  • That audit reports involve both scheduled and surprise in-person visits.
  • That no outstanding corrective actions exist from earlier industry audits.
  • Secure transit mechanisms are in place for vendors and subcontractors for both embedded (device) drives and loose drives.
  • That your ITAD compares pick-up and destination pallet loads based on weight and quantity.
  • For adequate staff clearances.
  • How the vendor will supply a clear audit trail (preferably automated and digitized) for each device from receipt through sanitization and to disposal.
  • That the vendor’s equipment is in good working order and that all staff are well trained in correct drive destruction and verification processes.

• Require proof of software-based data sanitization through tamper-proof, cryptographically verifiable erasure certificates before assets leave secure premises. You can request this from an outsourced vendor (we recommend our Blancco ITADs) or have your staff produce these in house with enterprise-scale erasure software. When embedding software-based sanitization within your own operations, you should be uncompromising when evaluating data erasure software and erasure certifications.
• Validate destruction certificates against industry recommendations, such as those outlined in NIST 800-88 “Media Sanitization Guidelines.” Data destruction certificates apply to both erasure and physical destruction. If you physically destroy devices through shredding, incineration, degaussing, or other means, certificates of destruction should confirm that media has been disposed of in a secure and environmentally responsible way. As noted in our NIST 800-88 Quick-Start Guide, those who sanitize IT assets and those who verify media sanitization has occurred should be different people.
• If physically destroying hardware, consider the method used. As of 2022, the latest data sanitization standard, IEEE 2883-2022 recommends against shredding or pulverizing data storage media due to increasing data storage density on high-capacity drives.

By adopting these measures, organizations can ensure their retired IT assets do not become security liabilities.

How Blancco protects data even before agency media destruction

Whether you adhere to NIST 800-88 Media Sanitization Guidelines “Destroy” recommendations or follow NSA/CSS Media Destruction Guidance, traditional physical destruction efforts may not provide adequate data protection when assets leave your control, whether that’s because of outdated destruction methods or chain of custody vulnerabilities.

Enterprise-scale data erasure solutions can immediately, efficiently, and securely get rid of data at the point of decommissioning, even in remote situations. That allows you to render data beyond recovery and reinforce data security on end-of-life assets, no matter the final destination.

Here are a few ways Blancco data erasure streamlines the process.

• In-rack erasure of data center equipment. Installing Blancco software directly on target servers allows you to perform secure, remote, in-rack erasure of servers and storage devices within your data center environment. You’ll be able to sanitize drives, logical unit numbers (LUNs), virtual machines, and hypervisors without needing manual intervention. Not only will you reinforce data security from the earliest moments of decommissioning, but you’ll also enhance operational efficiency and reduce labor costs.
• Remote or online erasure of end-user devices. Blancco remote data erasure allows IT teams to securely sanitize laptops and desktops, regardless of their location. This approach is particularly beneficial for sanitizing devices used by remote employees, ensuring data protection without the need for physical retrieval.
• Integration with IT asset management platforms. Blancco’s data erasure solutions seamlessly integrate with IT asset management platforms, streamlining the data sanitization process within existing workflows. For instance, the Blancco Secure Data Erasure app, available on the ServiceNow store, enables organizations to control and automate asset erasure directly from the ServiceNow interface.

Once data has been erased, assets can be safely and securely stored, transported, recycled, redeployed, or destroyed without concern of data leakage or other exposure.

Conclusion: Even with federal drive destruction, erase first to protect data against loss or theft

As this theft of destruction-bound government IT assets demonstrates, the need to completely and permanently delete data early is not just theoretical. Dismissing the possibility of theft or breach before physical destruction occurs is potentially catastrophic.

Whether through your own IT teams or by contracting with Blancco ITAD vendors or MSPs,  integrating solutions that automate end-of-life data sanitization early will equip you to combat this possibility—and help you and your team rest easier knowing your data is secure.

Photo by Louis Velazquez on Unsplash, with modifications.

You may be interested in:

Drive Destruction vs. Data Erasure: Which Data Disposal Method is Most Secure?

How Blancco Helps Organizations Achieve Compliance with NIST SP 800-88

DoD, NIST, or IEEE? Choosing the Most Secure Option from Modern Data Sanitization Standards

Blancco Drive Eraser