Easy Costs More: Why Cheap or Inexperienced IT Disposal Can Become an Expensive Data Breach
Old hard drives, USB sticks and reused memory chips can still contain recoverable data, even when they look empty. This blog explores why UK businesses should avoid quick wipes, factory resets and cheap or inexperienced disposal companies when handling data-bearing equipment.
Getting rid of old IT equipment should be simple.
You clear out the storage room. The old laptops, PCs, hard drives, servers, phones and USB sticks are collected.
The office gets some space back. The job feels done.
But when that equipment has stored data, disposal is not just a clearance task. It is a security process.
And when organisations take the easiest route, the cheapest route or the route that looks convenient in the moment, the real cost can appear much later.
That cost might be a fine. It might be reputational damage. It might be a customer asking why their information was found on a second-hand device. It might be the uncomfortable realisation that equipment thought to be “wiped” was never properly erased at all.
The lesson is simple: Easy costs more.
Not always on the invoice. But often in the risk that follows.
Looking Empty Is Not the Same as Being Secure
One of the biggest misunderstandings around IT disposal is the belief that if a device looks
empty, the data must be gone.
A laptop has been factory reset.
A hard drive has been formatted.
A USB stick opens with no visible files.
A phone has no user account left on it.
A printer, TV or voice recorder does not even look like a typical data risk.
To most people, that feels safe.
But data is not always removed just because it is no longer visible. Deleted files, old backups, cached data, temporary files, formatted drives and internal storage areas can still hold recoverable information if the device has not been properly erased or destroyed.
For businesses, this matters because old equipment rarely contains harmless data. It may hold customer records, employee information, financial files, HR documents, emails, contracts, images, login details, saved downloads, scanned documents or confidential internal material.
And once that equipment leaves your control, the risk becomes harder to manage.
The Early Warning: Second-Hand Hard Drives Still Held Data
More than a decade ago, an ICO-backed investigation showed how common poor data wiping could be.
The Information Commissioner’s Office asked NCC Group to source around 200 second-hand hard drives, as well as memory sticks and mobile phones. These devices were purchased from online auction sites and some were sourced from computer trade fairs.
The hard drives were then checked, first without specialist software and then using forensic tools.
The results were a warning to every business handling old IT equipment.
Finding | Approximate number | Percentage |
|---|---|---|
Unreadable or wiped | 104 | 52% |
Contained recoverable information | 96 | 48% |
Of those 96 drives with recoverable information:
Finding | Approximate number | Percentage |
|---|---|---|
Contained personal data | 22 | 11% |
Contained employee or client organisation data | 4 | 2% |
Of those 22 that contained personal data, at least 2 drives had enough information for identity theft.
The important point is not just that data was found.
It is that many of these drives may have looked safe to a normal buyer. A device can appear blank, formatted or cleared, while forensic tools can still recover information from underneath.
That is why basic deletion, quick formatting and assumption-based disposal are not enough for business equipment.
If there is no proof that the data has been erased or destroyed properly, there is still a question mark over what might remain.
Case Study: NHS Surrey and the True Cost of “Free” Disposal
The NHS Surrey case is one of the clearest examples of why easy disposal can become expensive disposal.
In 2013, NHS Surrey was fined £200,000 by the ICO after more than 3,000 patient records were found on a second-hand computer bought through an online auction site.
The story behind the breach is what makes it so relevant. NHS Surrey had previously used an approved provider for data destruction. It then chose to use a different company that offered to destroy old IT equipment for free. The arrangement allowed the company to sell salvageable materials after the hard drives were meant to have been securely destroyed.
On paper, that might have looked like a saving.
In reality, it became a serious data breach.
A member of the public bought a second-hand computer online and found patient information on it. NHS Surrey later recovered further computers, some of which still contained sensitive personal data. The ICO found that NHS Surrey had not put proper controls in place. There was no proper contract clearly setting out the provider’s legal responsibilities. NHS Surrey also failed to properly observe and monitor the destruction process.
This was not a complex cyber attack.
It was not a hacker forcing their way into a system.
It was a failure of process.
The data was not protected because the disposal route was not properly controlled.
The simple takeaway is this: Free disposal is not free if it comes without due diligence, verification and proof.
A company offering to remove or destroy equipment for little or no cost may still create risk if they do not have the right experience, process, certification, asset tracking and documentation in place.
Case Study: Morgan Stanley and Why Data Destruction Is Not a Moving Job
Morgan Stanley’s case shows that this issue is not limited to old examples or smaller organisations.
In 2022, the SEC announced a $35 million penalty against Morgan Stanley Smith Barney after failures linked to the disposal of devices containing customer personal information.
According to the SEC, Morgan Stanley hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers. These devices contained customer personal identifying information.
The SEC said Morgan Stanley failed to properly monitor the contractor’s work. Some devices were later sold to a third party, and some were eventually resold through online auction sites while still containing customer information.
The scale was significant. The SEC said the failures affected the personal identifying information of approximately 15 million customers.
In 2023, Morgan Stanley also reached a $6.5 million multistate settlement over failures to decommission computers and erase unencrypted data from devices that were later auctioned while still containing personal information.
This case is a reminder that old IT equipment cannot be treated like ordinary office furniture.
A server is not just a metal box.
A hard drive is not just a spare part.
A retired device may still hold live risk.
The lesson is clear: Data destruction is not a moving job.
If a provider does not specialise in secure IT asset disposal, certified data erasure, physical destruction, asset reporting and chain of custody, they should not be trusted with data-bearing equipment.
The Modern Problem: New-Looking Flash Drives With Old Data
It would be easy to think this is only a hard drive problem.
It is not.
A 2025 study called In Search of Lost Data: A Study of Flash Sanitization Practices analysed 614 low-cost USB flash drives. Researchers recovered recognisable old user data from 75 of them, which is more than 12%. The data included photos, videos, music, documents, source code, voice recordings and system files.
The researchers believe the issue was likely linked to reused memory chips being placed into new USB drives without being properly sanitised. That is important because the drives were sold as new, yet some appeared to contain memory chips that had been used before.
Even more interestingly, some of the recovered data suggested the chips may previously have been used in devices such as Android devices, Chrome OS systems, smart TVs, printers and voice recorders.
This changes the way businesses should think about data-bearing assets.
Data risk does not always sit where people expect it.
A printer may store scanned documents.
A smart TV may contain user data.
A voice recorder may contain audio files.
A USB stick may contain traces from a previous device.
A small memory chip may be removed, reused and placed back into circulation.
In other words, the risk is not only in the device you can see.
It can be hidden inside the component you did not think about.
What Does “Non-Trivial User Data” Mean?
The flash storage study uses the phrase “non-trivial user data.”
That sounds technical, but the meaning is simple. The researchers were not just finding random digital noise, unreadable fragments or meaningless bits of information. They were finding recognisable, recoverable data.
That matters.
If data can be recovered, identified and linked to a previous user, system or organisation, it is no longer harmless. For a business, that kind of data could include employee information, customer details, documents, images, emails, login data, financial files or internal records.
This is why “it looked empty” is not a defence.
If the data can still be recovered, the risk still exists.
Why Is Cheap IT Disposal Risky?
Cheap IT disposal is not automatically unsafe.
But cheap or inexperienced disposal becomes risky when it replaces proper due diligence and common sense.
The question should never be: Who can take this away for the lowest price?
The better question is: Who can prove what happened to the data?
With data-bearing equipment, the cost of disposal is not only the collection fee. The real value is in the security process behind it. That includes how assets are collected, tracked, erased, destroyed, reported and recycled.
A provider may be cheaper because they are not doing all of that properly. They may not be tracking serial numbers. They may not be verifying erasure. They may not issue meaningful certificates. They may not have clear chain of custody. They may not understand the difference between general recycling and secure IT asset disposal.
By the time a problem is discovered, the equipment may already be resold, exported, stripped for parts, recycled incorrectly or impossible to recover.
That is when cheap becomes expensive.
Can a Factory Reset Remove All Data?
A factory reset can help, but it should not be treated as proof that a business device is safe to dispose of. The effectiveness of a factory reset depends on the device, the storage type, encryption settings, reset method and whether the process has been verified afterwards.
For personal devices, a reset may feel enough.
For business equipment, it is not a complete disposal policy.
The ICO warned in 2024 that around 14 million UK adults do not know how to wipe personal information from an old device. The average Brit also has three unused devices sitting at home. For organisations, the risk is much higher because the data involved is not just personal convenience. It can be regulated, confidential, commercially sensitive or linked to customers and employees.
A factory reset may make a device look clean | Professional erasure provides evidence.
That difference matters.
What Is Certified Data Erasure?
Certified data erasure is the process of securely removing data from a device and providing documentation to show that the process has been completed.
It is not the same as dragging files into a recycle bin.
It is not the same as a quick format.
It is not simply trusting that a device “looks wiped.”
A proper data erasure process should use the right method for the device type, verify that erasure has completed successfully and provide a clear record for the organisation.
That record may include:
Device type
Serial number
Erasure method
Erasure result
Date completed
Asset report
Certificate of erasure or destruction
The purpose is simple.
It gives businesses proof.
Without proof, you are left relying on trust and assumption.
And you know what they say about if you assume...it makes an '🫏' out of 'u' and 'me'.
When Should Physical Destruction Be Used?
Not every device should be erased and reused.
Some assets are faulty. Some cannot be accessed. Some contain highly sensitive information. Some may not be suitable for remarketing. Some devices may need physical destruction to remove the risk completely.
Physical destruction can include methods such as shredding, crushing or other approved destruction processes depending on the asset and the level of security required.
The important thing is that destruction should be documented.
A destroyed drive without a certificate still leaves unanswered questions.
A certified destruction process gives a business a record of what was destroyed, when it was destroyed and how it was handled.
Why Chain of Custody Matters
Chain of custody is one of the most important parts of secure IT disposal.
It means there is a documented record of who handled the asset, where it went and what happened to it. This matters because many data disposal failures happen in the gaps.
A device is handed to a contractor.
A box of drives is moved.
Equipment goes into storage.
A third party gets involved.
Assets are resold.
Something is missing.
Without chain of custody, it becomes difficult to prove where the equipment went or who was responsible for it at each stage.
With chain of custody, the process is clearer, safer and easier to evidence.
What Should Businesses Ask Before Choosing an IT Disposal Company?
Before choosing a provider, businesses should ask practical questions:
Can you provide certificates of erasure or destruction?
Do you record asset serial numbers?
How do you track equipment after collection?
Do you offer chain of custody?
What happens to devices that cannot be erased?
Are devices physically destroyed when required?
Can you provide clear reporting?
Are you experienced in handling business IT equipment? Do you understand data-bearing assets beyond laptops and hard drives?
Do you recycle and remarket responsibly?
These questions help separate a genuine IT asset disposal provider from a general clearance or recycling company.
Treat it almost like browsing for a nice place to eat dinner with your significant other, sure you can see the sponsored ad claiming to have the best steaks in the country for the lowest price, but when you do a bit of due diligence and see the establishment has a 2 star hygiene rating with 2 stars on Google, would you really trust them with giving you the lovely evening you're looking for? Most likely you will be dealing with the consequences later down the line.
The cheapest option may remove the equipment. The right option removes the risk.
But the right option can also be the cheapest and easiest, with tech becoming more valuable and an emphasis being placed on a circular economy, a lot of professional ITAD companies may offer you free collections and even rebates on your equipment due to resale and remarketing. Not only can you trust that they will erase the data because they are certified and experienced, but you can get value back from those old equipment and feel good knowing it's not going to a landfill, but being repurposed and reused.
Final Thought
Looking empty is not the same as being secure.
A device can be wiped, reset, formatted or resold and still contain recoverable information. A small component can hold data long after the original device has been broken down. A cheap or inexperienced provider can create more risk than they remove.
Now more than ever a good ITAD provider can be cheaper and easier than the cheapest easiest alternatives, with components for electronics always being in high demand and an emphasis on circular economy and sustainability, secure data erasure and material recycling can open up doors for free collections and even rebates to your business due to the nature of the industry, whilst also keeping your data secure from collection to remarketing with documents for proof.
For more guidance on secure IT disposal, data destruction and responsible recycling, follow Premier IT Disposal on LinkedIn and bookmark our website for future updates.
Website: https://premieritdisposal.co.uk
Email: hello@premieritdisposal.co.uk
Phone: 0800 917 7753
Sources and Further Reading
ICO: 14 million people do not know how to erase data from old devices https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/12/14-million-people-don-t-know-how-to-erase-their-data-from-an-old-device/
NCSC: Secure sanitisation and disposal of storage media https://www.ncsc.gov.uk/guidance/secure-sanitisation-storage-media
NHS Surrey data destruction fine
https://www.pinsentmasons.com/out-law/news/nhs-body-fined-200000-for-data-destruction-failings-
https://buildingbetterhealthcare.com/nhs-surrey-fined-200-000-for-shocking-data-breach-90060
Morgan Stanley SEC penalty
https://www.sec.gov/newsroom/press-releases/2022-168
Morgan Stanley 2023 multistate settlement
Flash sanitisation study In Search of Lost Data: A Study of Flash Sanitization Practices, 2025