My statement was more about principle, rather than this particular incident. In this case the person admitted to having the password and was seeking to extort payment, that is problematic (the information was not theirs to sell, they did steal the by denying access to it by the proper owners). The hardware, well, the employer has to prove it is theirs and the contractual conditions under which they gave the employee that hardware, before they can try to claim it back. Obviously they did not simply claim it was stolen, hence it ownership is questionable, they can only really sue for it's return. Google is still largely at fault for the problem, they simply did the cheap thing, fobbed it off and failed to deal with it properly.