A driver who worked on IT asset disposition jobs at Wisetek recently pleaded guilty to stealing assets – including sensitive federal government devices – during disposition jobs in 2023, representing a significant ITAD-related data breach.
The U.S. Attorney’s Office for the District of Columbia on Feb. 4 announced the criminal case against Nikhil Parekh, a former ITAD employee in the Washington, D.C. area. The case outlines charges that Parekh and others stole assets during ITAD jobs, resold them and provided fake certificates to the ITAD customers that their assets were securely data-wiped and destroyed. The thefts took place “on or about July 2022 through on or about August 2023,” according to the documents, although the identified incidents were all in 2023.
Those customers included U.S. executive branch government agencies, government contractors and others.
The court documents don’t name the company Parekh worked for, but the details provided indicate it’s Wisetek, the Cork, Ireland-headquartered ITAD firm that was acquired by Iron Mountain in September 2024 for $51.9 million. The case involves Wisetek’s warehouse in Hyattsville, Maryland, which has since closed and relocated to Winchester, Virginia.
On Dec. 10, 2024, Parekh pleaded guilty to one count of conspiracy to commit an offense against the United States, specifically for selling stolen goods. In pleading guilty, Parekh admitted that he took IT assets that were provided to Wisetek for asset disposition, and that along with unnamed co-conspirators he “would transport them across state lines, and sell them, despite knowing that the goods were to be destroyed pursuant to their responsibilities for their employer and their employer’s contractual obligations for their client.”
Parekh’s sentencing is set for May 5, and the charge carries a maximum of five years in prison and a $250,000 fine, according to the U.S. Attorney’s Office.
Iron Mountain did not respond to multiple requests for comment prior to publication. However, in a Feb. 17 statement to E-Scrap News, a company spokesperson acknowledged the situation and noted Iron Mountain would provide no further comment.
“The safety and security of our customers’ assets, information and data is our top priority,” the spokesperson wrote. “We complied with the investigations conducted by all relevant authorities into this isolated historical incident.”
Devices stolen during the course of ITAD jobs
Parekh worked for Wisetek from 2019 to 2023, primarily as a driver for ITAD jobs out of its Hyattsville facility, according to the documents. He and another employee – not identified in the case – were often paired together on ITAD jobs, where they would load retired assets into a company van and scan them into Wisetek’s asset tracking system. They were also tasked with performing on-site shredding when requested by the client.
According to prosecutors, sometimes Parekh and the co-conspirator would drive directly from an ITAD jobsite to an electronics reseller, and other times they would hold onto the devices and sell them later, according to the charging documents.
Additionally, in some cases Parekh and the co-conspirator took and sold devices that were retired by other Wisetek employees at other client sites. Clients received certificates of destruction indicating the devices had been data-wiped to National Institute of Science and Technology standards.
According to the guilty plea signed by Parekh, the thefts included:
- Devices stolen from 10 pallets of government-furnished smartphones, monitors, printers, scanners, personal computers, laptops and other IT assets, removed in January 2023 from a contractor of a federal executive branch agency. The devices were furnished by the government agency.
- Devices taken during retirement of more than 400 laptops, 1,300 smartphones, 70 servers, 20 cameras and nearly 30 video-teleconference phones, from a U.S. government agency’s Landover, Maryland, warehouse in March 2023.
- Devices taken during retirement of “hundreds more IT assets” from the same Landover warehouse in June 2023.
- An unspecified number of additional devices obtained during “jobs at additional executive branch agencies and private businesses in Maryland, the District of Columbia, and elsewhere, from which they ultimately appropriated and converted for their own personal use IT assets that clients had paid” Wisetek to process.
In July 2023, Parekh contacted the owner of a used electronics store in Haymarket, Virginia – which is redacted in most instances but is also later identified in the court records as Experimax – and offered to sell devices stolen from these jobs.
When the store owner examined some of the devices before the sale, the owner found many devices contained asset tag stickers identifying them as property of U.S. government agencies. At least one device “was connected to government cloud computing software,” according to court records.
The owner asked Parekh whether they were supposed to be there, and Parekh “noted that all devices were slated for destruction and said the government-furnished devices should be used for parts.”
The store owner expressed concern, asking, “So the government isn’t going to come looking for me or something?” and noting, “I just don’t want a guy in black suit knocking on my door.” Ultimately the store owner paid $1,000 for the first batch of devices, according to the court records.
Two weeks later, law enforcement arrived at the used electronics store and discovered 258 devices that were retired from government agencies and were supposed to be destroyed by Wisetek.
Eighteen of them were from the January 2023 agency job, another 72 were from the Landover warehouse job, and “the remainder of the devices were eventually traced back to additional government agencies and private entities, which in turn confirmed that they had provided them to (Wisetek) pursuant to a contract under which (Wisetek) was to destroy them or render them beyond use and certify the same prior to payment.”
The court documents don’t identify the clients who were victimized, referring to anonymous “executive branch agencies” and contractors. But the press release notes that, in addition to the Capitol Police, the case was investigated by the inspector general for the U.S. Agency for International Development, USAID.
USAID’s press office did not respond to an inquiry about whether the agency was one of the victims. The agency’s activities have been sharply curtailed by President Donald Trump’s administration.
Questions linger over scope of theft, data breach
There are a number of unanswered questions, including whether the identified thefts represented the entire scope of devices stolen. The court documents offer specifics of stolen device quantities in some cases but are vague in describing other thefts.
Unless it can be confirmed beyond any doubt that all thefts are accounted for, one expert said the provider should be notifying other clients of the data breach potential.
“They can’t do anything about it if they don’t know about it,” Kyle Marks, founder of ITAD consulting firm Retire-IT and an advocate for more stringent data management practices in the ITAD sector, told E-Scrap News.
It’s unclear if other Wisetek clients were notified about the breach, but there has been no public announcement from parent company Iron Mountain. Marks added it’s curious that the provider wasn’t identified by name in court documents, as the secrecy could prevent clients from learning about the situation.
Other key questions include whether Iron Mountain knew about the liability when it bought the company last year, a detail that may come up in future financial filings by the publicly traded firm, and whether all stolen devices have been accounted for.
E-Scrap News inquired whether all stolen devices were recovered and whether the stolen devices retained data from their previous use. A spokesman for the U.S. Attorney’s Office for the District of Columbia said the information in the press release and court documents represent “the extent of the publicly available information at this point.”
Marks added the situation highlights the “critical role of records reconciliation in IT asset disposition.”
“Records reconciliation, a fundamental aspect of cybersecurity, ensures that every IT asset slated for retirement is tracked throughout the ITAD process,” he noted. “Critically, clients, not their providers, must carefully compare their initial inventory of shipped assets against the inventory received by the ITAD provider. Failing to perform timely reconciliation delays investigations into potential security breaches and hinders prompt action, potentially escalating a problem into a crisis.”
He referenced the Morgan Stanley data mismanagement saga, in which numerous assets were unaccounted for after ITAD jobs.
“Morgan Stanley failed to perform a records reconciliation of assets believed to be in Arrow Electronics’ possession until it was too late,” Marks said. “Had they performed timely reconciliation, the assets may have been located, and a potential data breach avoided.”
Feb. 17 update: This story was updated to include a statement Iron Mountain provided after publication.
