There’s been a lot of talk in recent years about a data breaches. The theft and sale of stolen data, including personally identifying information (PII), corporations’ trade secrets, and world governments’ most embarrassing classified information has become both commonplace and lucrative. In fact, data is widely considered more valuable than commodities like oil or gold.
At the same time, an age-old problem has gotten renewed attention over the last few years: countries that do not abide by international intellectual property (IP) or copyright laws. Right or wrong, one country in particular is consistently accused of impropriety in this area: China.
Along with China, other governments around the world have upped their investment and expertise in data theft, with teams of specialized state actor hackers with adorable-sounding nicknames on their payrolls. Two of the other countries accused? Russia and Iran.
Additionally, many countries have banned their government agencies and their contractors and subcontractors from using other countries’ technologies. Reasons from general privacy to national security concerns are cited when banning these countries that are often hostile foreign powers. Examples of this practice include Canada prohibiting the transport of data outside the country by agencies via international cloud service providers; the US blacklisting Huawei mobile and networking devices and Kaspersky security software; and Germany banning Microsoft, Google, and Apple cloud services, to name just a few.
Finally, one glaring blind spot for data theft is in the IT asset disposition (ITAD) arena when IT assets are retired and when ITAD vendors of wildly varying legitimacy, competency and certification are engaged to process them. E-waste is the world’s fastest growing type of waste, and tons of data-bearing devices are being retired every day by consumers, corporations, and government agencies. ITAD vendors, among other things, are tasked and trusted to destroy such data before reselling the devices into secondary markets or physically destroying and recycling data drives or entire devices.
But it is important to recognize that improprieties can and do occur in the ITAD space, in fact there has already been one documented case of criminal convictions from a recycler. American recycling company, Total Reclaim Inc., was either reselling retired IT assets they were paid to destroy or “downstreaming” them to a company in Hong Kong for less expensive recycling, depending on whose version of events you believe, the owners or the prosecutors.
A complex relationship becomes more complex: enter China
Based on these many examples it’s clear that the relationship between ITAD, data destruction and responsible recycling is a complex one. But there is an even stranger disconnect to consider: What happens when major IT companies under foreign ownership are responsible for a growing amount of data belonging to U.S. corporations and worse, U.S. government agencies?
Two examples of this disconnect are USB Recycling and Green Tech Solution, U.S. subsidiaries of investment firm Tianjin Sheng Xin Non-Financing Guarantee Company based in Tianjin, China. In 2017 and 2018, the Chinese parent company invested almost $76 million into converting old textile plants in North and South Carolina into recycling plants, that are now focused on processing electronics such as old computers and mobile telephones bought from schools, industry, and big companies.
Recently, on November 18, 2019, USB Recycling announced that they’ve joined TERRA (The Electronics Reuse & Recycling Alliance) to provide electronics recycling options for residents of North Carolina, South Carolina and Virginia. This will allow USB Recycling to offer “secure data destruction services” to more than 14.6 million residents in 146 counties from their and Green Tech Solution’s facilities in the Carolinas.
Another larger, less obvious example is Ingram Micro, a distributor of information technology products owned by HNA Technology of China. In December 2016, Chinese company Tianhai Investment (now known as HNA Technology), acquired Ingram Micro in an all-cash transaction. During this leveraged buyout, the company borrowed a huge sum from the Agricultural Bank of China (ABC). ABC is also known as AgBank and is one of the “Big Four” banks in the People’s Republic of China. Founded in 1951, approximately 83% of ABC is owned by China’s Ministry of Finance, Central Huijin Investment Company and the National Social Security Fund.
It is not difficult to conclude that the Chinese government eagerly sought control of Ingram Micro, which was ranked 64th on the 2016 Fortune 500 list with 33,000 employees, subsidiaries, and channel partners, which would give China access to a sizable global client base and IT infrastructure. Since then, Ingram Micro has expanded its global ITAD services offering significantly, including the addition of new facilities and a recently announced channel partner program.
Are foreign powers acquiring your data right out from under your nose?
“Companies take several extreme measures to prevent costly data breaches over their networks,” according to Jeff Londres, founder and CEO of NextUse, a certified data destruction specialized ITAD company. “But when it’s time to retire these data-bearing IT assets, they hand them over to ITAD vendors owned by foreign countries with horrible track records of respecting data privacy and ownership. With everything going on with China, it makes no sense that the U.S. government isn’t more concerned about Chinese-owned companies like Ingram Micro.”
If that isn’t concerning enough, China is about to implement the final stages of a comprehensive internet security and surveillance program, whereby all data in the country must be visible to the government: no encryption, no VPNs, no exceptions. The program applies to foreign companies, with no exclusions for IP or trade secrets. Even classified data or national security concerns of foreign countries and their government contractors working in China will not be excluded. It applies to all communications and data transmitted across Chinese networks and housed on servers within the country. China is being very transparent about its intentions in all of this.
Is all data on all retired IT assets handled by foreign-owned companies in peril? Probably not. However, if we’re raising the alarm over applications like FaceApp and TikTok, it’s reasonable to take a closer look at handing over PII, IP, other corporate data, and classified information to companies owned by hostile or unlawful countries. Especially when considering that many of the governments of these countries exercise de facto control over the major private companies that reside there.
So, what’s the best way to keep China, Russia and other countries from stealing your data? Being diligent and protecting data on IT assets that are in active use isn’t enough. As you retire these data-bearing assets, research who owns your ITAD vendors, always choose a vendor that is specialized in data security and destruction through NAID AAA certification, and rest easy knowing that your sensitive data has been securely and irretrievably retired as well.