Logic Boards in a Pile

IT Asset Disposition (ITAD) is the Slow Motion Data Breach Nobody notices

Efforts to wall off sensitive corporate and government data from foreign adversaries have a gaping hole, warns Mark Dobson of NextUse: IT asset disposition (ITAD), where vendors – many owned by Chinese firms – process discarded hardware (and the data it contains) with little oversight.

There’s been a lot of talk in recent years about data breaches. The theft and sale of stolen data, including personally identifying information (PII), trade secrets, and classified information has become both commonplace and (for cyber criminals) lucrative. In fact, today data is widely considered more valuable than commodities like oil or gold.

Mark Dobson NextUse
Mark Dobson, NextUse

At the same time, an age-old problem has gotten renewed attention over the last few years: countries that do not abide by international intellectual property (IP) or copyright laws. Governments around the world, led by nations like China, Russia and Iran have upped their investments and expertise in data theft, with teams of specialized hackers on their payrolls.

In response, many countries have banned government agencies, contractors and subcontractors from using technologies from suspect nations. In just one example, Canada prohibited the transport of data outside the country by agencies via international cloud service providers; the U.S. has blacklisted mobile phones and networking devices manufactured by the Chinese firm Huawei and software from the Russian firm Kaspersky Lab; Germany has banned Microsoft, Google, and Apple cloud services, and so on.

Report: China Eyes IoT as Next Front of Cyber War on U.S.

But these efforts to wall off sensitive, national data have one glaring omission: IT asset disposition (ITAD), the arena in which IT assets are retired and disposed of. Today, ITAD vendors of wildly varying competency and legitimacy process discarded hardware across the developed world with little oversight.

Data processed by the Ton

E-waste is the world’s fastest growing type of waste, and tons of data-bearing devices are being retired every day by consumers, corporations, and government agencies. ITAD vendors are tasked with destroying such data before reselling the devices into secondary markets or physically destroying and recycling hardware including data-holding drives.

While most ITAD vendors carry out these duties responsibly, it is important to recognize that improprieties can and do occur in the ITAD space. For example, the American recycling company, Total Reclaim Inc., paid a $553,000 fine to the State of Oregon for false advertising after the company was found “downstreaming” (or reselling) retired IT assets they had been paid to destroy to a company in Hong Kong.

Enter: China

The relationship between ITAD, responsible recycling and data destruction is complex. It becomes more complex when major IT companies under foreign ownership are responsible for processing IT assets -and data- belonging to U.S. corporations and U.S. government agencies.

Two examples of this disconnect are USB Recycling and Green Tech Solution, U.S. subsidiaries of investment firm Tianjin Sheng Xin Non-Financing Guarantee Company based in Tianjin, China. In 2017 and 2018, the Chinese parent company invested almost $76 million into converting old textile plants in North and South Carolina into recycling plants. Those facilities are now focused on processing electronics such as old computers and mobile telephones bought from schools, industry, and big companies.

Concerned over cyber espionage, U.S. military bans sale of Chinese smartphones

Recently, on November 18, 2019, USB Recycling announced that they’ve joined TERRA (The Electronics Reuse & Recycling Alliance) to provide electronics recycling options for residents of North Carolina, South Carolina and Virginia. This will allow USB Recycling to offer “secure data destruction services” to more than 14.6 million residents in 146 counties from the firms’ facilities in the Carolinas.

Then there’s Ingram Micro, a giant distributor of information technology products owned by HNA Technology of China. In December 2016, Chinese company Tianhai Investment (now known as HNA Technology), acquired Ingram Micro in a $6 billion all-cash transaction. During this leveraged buyout, the company borrowed a huge sum from the Agricultural Bank of China (ABC). ABC is also known as AgBank and is one of the “Big Four” banks in the People’s Republic of China. Founded in 1951, approximately 83% of ABC is owned by China’s Ministry of Finance, Central Huijin Investment Company and the National Social Security Fund. Since that acquisition, Ingram Micro has expanded its global ITAD offerings significantly, including the addition of new facilities and a recently announced channel partner program.

Data thrown out with the trash?

So, are foreign powers acquiring your data right out from under your company’s nose? The answer, quite possibly, is “yes.”

U.S. sanctions Russian companies, individuals over cyber attacks

“Companies take several extreme measures to prevent costly data breaches over their networks,” said to Jeff Londres, founder and CEO of NextUse, a certified data destruction specialized ITAD company. “But when it’s time to retire these data-bearing IT assets, they hand them over to ITAD vendors based in countries with horrible track records of respecting data privacy and ownership.”

As concern grows about foreign government forays onto sensitive corporate and government networks, ITAD vendors should be on the U.S. government’s radar, Londres believes. “With everything going on with China, it makes no sense that the U.S. government isn’t more concerned about Chinese-owned companies like Ingram Micro,” he said.

That’s especially true as China puts the finishing touches on a comprehensive internet security and surveillance program, whereby all data in the country must be visible to the government: no encryption, no VPNs, no exceptions. The program applies to both domestic and foreign companies, with no exclusions for IP or trade secrets. The new rules apply to all communications and data transmitted across Chinese networks and housed on servers within the country. China is being very transparent about its intentions in all of this.

Pick ITAD Vendors with Care

Is all data on all retired IT assets handled by foreign-owned companies in peril? Probably not. However, while we’re raising the alarm over applications like FaceApp and TikTok, it’s reasonable to take a close look at whether U.S. firms and government agencies are handing over corporate and classified information to entities owned- or under the influence of adversarial nations.

So, what’s the best way to keep China, Russia and other countries from stealing your data? First, take the opportunity to scrutinize your ITAD vendors. Make sure your vendor has NAID AAA certification. Beyond that, be diligent and take steps to protect data on IT assets that are in active use. As you retire these data-bearing assets, rely on a vendor that specializes in data security and destruction using NAID AAA certified processes. You’ll rest easy (or at least easier) knowing that your sensitive data has been securely and irretrievably retired as well.