Audit identified risk of data breach after devices sold on to third party who had access to warehouse.