USAID’s Reckless ITAD Gamble

The U.S. Agency for International Development (USAID) has adopted a dangerously irresponsible policy by refusing to collect government-issued devices — phones, laptops, and iPads — from former employees, leaving them to dispose of these assets independently. Reported by The Verge, this approach abandons secure IT asset disposition (ITAD), exposing sensitive data to catastrophic risks. This negligence mirrors a broader pattern of government unaccountability, as seen in recent reports slamming the Federal Bureau of Investigation (FBI) and the U.S. Nuclear Regulatory Commission (NRC) for similarly reckless ITAD practices. By relying on unaccountable methods like remote wiping and neglecting physical control, verified erasure, and documentation, USAID is inviting data breaches that could compromise personnel records, international contacts, financial details, and national security.

A Pattern of Government Unaccountability

USAID’s policy is not an isolated failure but part of a disturbing trend of government agencies flouting secure ITAD practices, jeopardizing national security. In August 2024, the Department of Justice Inspector General (OIG) released a scathing report on the FBI’s ITAD practices, uncovering untracked hard drives, unmarked classified data, and a disposal facility with security so lax that pallets of sensitive media were left unsecured for days or weeks. An FBI supervisor admitted they would not know if hard drives were stolen because assets were not counted or tracked. Similarly, a July 2024 NRC OIG evaluation found noncompliance, including unreturned laptops from former employees and over two-thirds of tracked devices missing from their reported locations.

These findings reveal a systemic disregard for accountability in handling sensitive data across federal agencies. USAID’s decision to delegate device disposal to former employees fits this pattern, amplifying the risk of data leaks with far-reaching consequences.

The Perils of Unaccountable ITAD

Unaccountable ITAD is a national security disaster waiting to happen, especially for USAID, whose devices contain critical information:

• Personnel Records: Personal details of staff, contractors, and partners, ripe for identity theft or targeted attacks.
• International Contacts: Information about local partners, government officials, or community leaders in countries where USAID operates, where exposure could endanger lives or disrupt diplomacy.
• Financial Details: Bank account information and payment records for partner organizations, vulnerable to fraud or cyberattacks.

Without a robust ITAD process — physical device collection, certified data erasure to standards like NIST 800–88, and auditable documentation — sensitive data remains recoverable. USAID’s policy, like the FBI’s and NRC’s failures, leaves devices untracked and unverified, risking leaks that could harm individuals, operations, and U.S. interests globally.

The False Security of Remote Wiping

USAID’s reliance on remote wiping is as flawed as the FBI’s untracked disposal practices. Remote wiping is an emergency measure, not a substitute for secure ITAD. Its weaknesses are stark:

• Internet Dependency: Wipes require an active internet connection. Offline devices remain untouched, with data intact.
• Hard Drive Replacement: A thief can remove or replace the hard drive before a wipe, retaining all data.
• Loss of Surprise: Announcing a wipe, as USAID’s policy risks by delegating disposal, gives thieves time to extract data. Surprise is critical for remote wiping to work.

The FBI’s unmarked, unsecured drives and USAID’s uncollected devices both bypass the physical control and verified erasure needed to ensure data security. Remote wiping cannot protect the sensitive information these agencies handle.

A Reckless Approach Rooted in Negligence

USAID’s decision to shift disposal responsibilities to former employees embodies an only trust, never verify mindset, rejecting the Zero Trust principle: never trust, always verify. This mirrors the FBI’s failure to track hard drives and the NRC’s inability to locate devices. These agencies assume compliance without enforcing it, ignoring the potential for error, negligence, or malice. With no mechanisms to track devices or confirm erasure, USAID, like its counterparts, is creating a perfect storm for breaches — a systemic betrayal of accountability that threatens national security.

The Wisetek Warning

The risks are not hypothetical. In February 2025, the USAID Office of Inspector General announced a plea deal with a driver for Wisetek, an ITAD vendor, who stole and sold hundreds of government-issued laptops and smartphones from clients in Washington, DC. Undetected for 13 months, this theft likely exposed sensitive data, constituting a potential massive, unreported breach. The FBI’s lax facility security, where unmarked classified drives sat exposed, shows similar vulnerabilities. These incidents underscore the dangers of unaccountable ITAD, yet USAID has responded by further loosening controls, doubling down on negligence.

USAID’s Failure of Responsibility

Government agencies must uphold the highest data security standards. Secure ITAD requires:

• Physical Control: Collecting and tracking all devices.
• Verified Data Erasure: Using certified tools to ensure data is irretrievable.
• Proper Documentation: Maintaining auditable records for compliance.

USAID, the FBI, and the NRC flout these principles, endangering personnel, partners, and national security. By prioritizing convenience over accountability, these agencies fail their missions and invite scrutiny.

A Call for Accountability

USAID must abandon this reckless policy and adopt a rigorous ITAD framework, as must other agencies like the FBI and NRC. USAID should:

1. Require the return of all devices to a secure, centralized facility.
2. Enforce certified data erasure with third-party verification.
3. Strengthen vendor oversight to prevent repeats of the Wisetek incident.
4. Investigate the Wisetek breach to assess its full impact.

Unaccountable ITAD is a national security crisis. USAID’s reliance on remote wiping, alongside the FBI’s and NRC’s failures, risks devastating breaches that could expose sensitive data with far-reaching consequences. These agencies must act now to restore accountability and protect the trust placed in them — before the next breach proves the cost of inaction.

Interested in learning more? Connect with me on LinkedIn or contact me at Retire-IT. My book, “Where the IT Lifecycle Ends,” offers solutions for a secure and compliant ITAD program.