Although system intrusions still account for an overwhelming percentage of data breach incidents, lost and stolen assets saw an uptick as well, according to the 2026 Verizon Data Breach Investigations report. One cause that often flies under the radar is the improper disposal of old equipment.
Computers and other decommissioned devices that go out of service often hold sensitive data that could end up in the hands of criminals if their hard drives are not destroyed or properly sanitized. A 2026 study published by the data erasure software firm Blancco Technology Group found that 38% of global IT and compliance leaders across regulated organizations experienced a data leak over the past year. Forty-two percent of those leaks were linked to lost devices, and another 25% to stolen devices, “which may occur during everyday use or throughout the decommissioning process,” the report states.
Desktop and laptop computers are the most obvious examples of such devices. But Marc Ashworth, who served as the chief information security officer (CISO) at $6.7 billion First Bank, based in Creve Coeur, Missouri, from 2017 to 2025, says sensitive data also sits on devices many would never think about. “Copiers, for example — they have hard drives in there,” Ashworth says. “When you print stuff, there’s a lot of sensitive data that goes [into] there.”
Chris McDevitt, CEO of Mansfield Technologies, which provides data disposal services for financial institutions and other businesses, says there are more devices storing more types of data than ever before. “Some of the newest ATMs from Diebold [Nixdorf] and Hyosung [Americas] and NCR [Atleos] — they’re capturing biometrics in certain locations and they’re capturing IDs,” he says. “How is that data being stored? Where is it being stored?”
There are also frontier artificial intelligence models like Claude Mythos that present even more concerns, says Ashworth. “It used to be that you had to worry about a skilled forensic analyst just recovering the data, and then it’s going to take time to do that,” he says. “But with something like Mythos and AI in general, that’s accelerating that ability and the time to correlate, reconstruct and extract information to create data sets.”
For all those reasons, failing to rid such decommissioned devices of all data can result in any number of cybersecurity concerns. “Recovered data could be used for account takeover, identity theft, synthetic identity fraud, business email compromises,” Ashworth says. “We can also get into operational risk if it was maybe an executive’s laptop and there’s strategic information on there that was recovered.”
Destroy If Possible
The surefire way to ensure that no data will ever be recovered from a decommissioned device is to physically destroy its hard drive. “Onsite physical destruction is the highest standard,” McDevitt says. “Doing it yourself is the perfect, ideal scenario. I would say the next ideal [scenario] would be a vendor coming on site with a shred truck where they’re physically destroying it under your supervision.”
But some smaller financial institutions that lack a CISO and the budget for such destruction methods hand their decommissioned devices over to companies that provide data sanitization services — which means they promise to wipe all the data off the hard drives before recycling or reselling them. McDevitt says most are very reliable, but financial institutions have to vet them thoroughly. Because if they aren’t doing what they claim, problems can arise — the most famous of which resulted in an enforcement action against two of the nation’s largest banks.
The Office of the Comptroller of the Currency in 2020 assessed a $60 million fine against Morgan Stanley Bank, based in Salt Lake City, Utah, and Morgan Stanley Private Bank, based in Purchase, New York, for several violations, stemming from improper data disposal on decommissioned devices at two wealth management business data centers owned by the banks’ holding company, Morgan Stanley, which resulted in a public data breach. In a statement provided to a news organization at the time, a Morgan Stanley spokesperson said the company has “continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused.”
Nonetheless, the New York Attorney General also held Morgan Stanley responsible for hiring a third-party moving company that failed to properly sanitize the data on those devices — one of several entities that reached a settlement with the company on behalf of customers. “You’re not going to get grace,” McDevitt says. “The bank is going to be in the news. And so, the more hardware you get rid of, the more often you’re rolling that dice.”
Establish a Process for Data Disposal
It’s why financial institutions are expected to develop data destruction policies and procedures that follow guidelines set by various organizations, including the Federal Financial Institutions Examination Council. The FFIEC guidelines are based on provisions of the Gramm-Leach-Bliley Act (GLBA), a federal law which dictates how financial institutions must protect and disclose consumer financial data. Lisa Sotto, a managing partner who chairs the global data, cyber and privacy practice at the law firm Hunton, Andrews, Kurth, also encourages financial institutions to abide by even higher data disposal standards set by the New York Department of Financial Services and the National Institute of Standards and Technology.
“I think what you want to show a regulator is that you take a systematic approach to data and device destruction,” Sotto says. “It may be that there’s a record from 1999 that’s sitting there, but if you can show that there’s a formal process in place and that for the most part the entity follows that process, I think that goes a long way towards satisfying regulators.”
Ashworth says it is best practice to start that process long before the device is ready for decommissioning. “It starts from the very beginning. So, as soon as that device is purchased, that whole asset inventory management is key to that,” he says, adding that each device should be outfitted with data encryption and have its data permission levels set before it goes into service. Banks should also be tracking who is using the device and for what purposes throughout its life cycle.
Peter Swire, a professor of law at Georgia Tech University’s School of Cybersecurity and Privacy, says regulators will also work with financial institutions to correct any data destruction compliance issues through a confidential supervisory process.
“Compared to other enforcement agencies, bank regulators can take many more staged interventions on the way to deciding to have an enforcement case,” he says. “The regulators can point out, ‘Everyone else has this kind of disposal program now and you haven’t put it in place. We really think when we come back in six months or a year, you should have it in place.’ And that can even help the CISO.”
As a result, regulators proceed with very few enforcement actions. But Swire says because regulators focus on process and not outcomes, it’s really unknown just how many financial institutions are following through with proper data sanitization.
McDevitt says even though there is a low risk that unsanitized data will ever result in a public breach, it isn’t a gamble worth taking. “When it does go wrong, it’s immediately determined to be negligence,” he says.
Previous