Introduction

Our sensitive data—government secrets, personal information, corporate records—is at risk. The Wisetek driver theft scandal exposed shocking failures in the IT asset disposition (ITAD) industry, where a trusted company allowed thousands of data-bearing devices to be stolen and resold, endangering national security and public trust.

Certifications like NAID AAA, e-Stewards, and R2, meant to guarantee secure data handling, failed to stop this breach. We demand that i-SIGMA, Basel Action Network (BAN), and Sustainable Electronics Recycling International (SERI) investigate Wisetek’s misconduct, hold them accountable, and reform flawed certification systems to protect our data.

Why It Matters

Every day, organizations rely on ITAD providers to securely destroy old laptops, servers, and smartphones containing sensitive information. Certifications from i-SIGMA, BAN, and SERI are supposed to ensure these providers follow strict standards. But when a certified company like Wisetek allows rampant theft of data-bearing devices, it betrays public trust, exposes sensitive data, and undermines the credibility of the entire industry. Without urgent action, more breaches will occur, risking personal privacy, corporate security, and even national safety.

Summary of the Incident

In February 2025, the U.S. Attorney’s Office for the District of Columbia announced that Nikhil Parekh, a former Wisetek driver, pleaded guilty to conspiracy to sell stolen goods, admitting to stealing and reselling thousands of data-bearing devices, including sensitive federal government assets, between July 2022 and August 2023.

On May 5, 2025, Parekh was sentenced to 12 months of probation and ordered to pay restitution not exceeding $10,000 to identifiable victims, reflecting the severity of his actions. These thefts involved devices from government agencies and contractors, with fake certificates of destruction issued to clients, falsely indicating that assets were securely data-wiped and destroyed. Specific incidents include the theft of devices from 10 pallets of government-furnished IT assets in January 2023 and over 1,800 devices, including laptops, smartphones, and servers from a U.S. government agency’s warehouse in March 2023.

The prosecution noted that, based on how the conspiracy operated, “there is ample basis to believe there are greater losses and even more victims,” as Parekh “had difficulty recalling precisely how many thousands of devices he had personally taken.”

The scheme not only defrauded organizations by charging for unperformed destruction services but also “exposed potentially sensitive data from different government agencies by simply re-selling these devices directly onto electronics re-sellers,” with only “10-15%” of devices being “clean.”

Wisetek, headquartered in Cork, Ireland, was acquired by Iron Mountain in September 2024, but the misconduct occurred while Wisetek held active NAID AAA, e-Stewards, and R2 certifications, which were displayed to clients as guarantees of secure ITAD practices.

Alarmingly, Parekh’s termination from Wisetek “did little to deter” him, as he “simply went to a similar ‘e-waste’ company where he essentially engaged in the same conduct,” exploiting “gaps in the internal controls of his employers.”

The prosecution emphasized that the “nature and breadth of his scheme would ordinarily warrant a significant punishment” due to “significant losses to victim agencies, only a fraction of which can adequately be captured after the fact,” and the potential exposure of sensitive data from government and corporate clients.

To date, there has been no public announcement from i-SIGMA, BAN, or SERI regarding client notifications, certification status, or systemic remediation efforts.

Concerns and Call to Action

The NAID AAA, e-Stewards, and R2 certifications are each positioned as the global gold standard for secure and ethical ITAD practices, with rigorous auditing and compliance requirements. However, the Wisetek driver theft case reveals systemic failures, as fraudulent certificates and undetected thefts over 13 months went unnoticed.

The prosecution’s findings underscore the severity: the conspiracy’s scope suggests unquantified losses and victims, with sensitive data recklessly exposed to resellers with “little care” for security risks.

The absence of visible action—such as public suspension of Wisetek’s certifications, official client notifications, or announced remediation efforts—undermines the credibility of these certifications.

Many perceive a two-tier enforcement system, where larger players like Wisetek and Iron Mountain evade consequences for severe data security violations, while smaller vendors face swift punishment for lesser infractions, particularly environmental nonconformities. This disparity is evident when comparing cases like the Wisetek driver theft and the Morgan Stanley breach involving AnythingIT with the suspensions of smaller players like URT and RDI.

In the AnythingIT case, a data breach at Morgan Stanley involved the reselling of devices containing sensitive customer data. AnythingIT, despite holding e-Stewards certification, faced no visible consequences. Similarly, Wisetek and Iron Mountain have faced no public repercussions for the driver theft scandal, despite its massive scale and implications for data security.

Meanwhile, vendors like URT and RDI have been suspended for environmental nonconformities related to cathode ray tube (CRT) disposal—issues that, although important, pale in comparison to the harm caused by data breaches exposing sensitive government and corporate information. This double standard fuels frustration among members, who see environmental violations punished harshly while data security failures—a core promise of ITAD certifications—go unaddressed.

A two-tier system of enforcement undermines the integrity of certifications, believing that the root of the problem lies in a flawed business model. Larger players, often significant revenue sources for i-SIGMA, BAN, and SERI, appear to receive preferential treatment, while smaller vendors bear the brunt of enforcement.

Certification bodies also allow companies to select their own auditors, introducing clear conflicts of interest. When auditors rely on clients for business, rigorous oversight takes a back seat to client satisfaction. In situations where auditors are paid directly by the companies they assess, their impartiality is undermined, leading to hand-waved evaluations that prioritize client retention over rigorous scrutiny.

We urge i-SIGMA, BAN, and SERI to take the following actions:

• Initiate an Immediate Investigation: Conduct a thorough and independent investigation into the Wisetek driver theft case to assess compliance failures, audit processes, and the issuance of fraudulent certificates.
• Ensure Impartiality: Require Iron Mountain representatives on i-SIGMA, e-Stewards, or SERI boards to recuse themselves from any involvement in the investigation to avoid conflicts of interest.
• Enforce Penalties: If violations are confirmed, impose appropriate penalties, including potential suspension or revocation of Wisetek’s NAID AAA, e-Stewards, and R2 certifications, to demonstrate that no provider is above accountability. 
• Notify Affected Parties: Mandate that Wisetek Iron Mountain notify all potentially affected clients of the data breach, as the lack of public disclosure leaves organizations unaware of potential risks.
• Conduct a Systemic Review: Evaluate and strengthen auditing and oversight mechanisms to prevent future failures, ensuring that certifications remain a reliable indicator of secure ITAD practices.

Certification Integrity and Public Trust

The fact that the misconduct occurred before Iron Mountain acquired Wisetek does not absolve i-SIGMA, BAN, or SERI of their responsibility to investigate the matter. Wisetek actively displayed NAID AAA, e-Stewards, and R2 certifications during the period of misconduct, and organizations relied on these credentials to entrust their sensitive assets to the company. Wisetek Iron Mountain continues to display the NAID AAA, e-Stewards, and R2 certifications.

Organizations worldwide depend on NAID AAA, e-Stewards, and R2 certifications to safeguard their data and comply with regulatory requirements. Failure to act decisively in this case not only jeopardizes affected parties but also diminishes the value of these certifications for all compliant vendors.

We implore i-SIGMA, BAN, and SERI to uphold their missions of promoting secure information governance and responsible electronics recycling by addressing this breach with transparency, urgency, and impartiality.

We look forward to your prompt response and a public statement outlining the steps i-SIGMA, BAN, and SERI will take to address this matter. The integrity of your certifications and the trust of the ITAD industry are at stake.