Top Data Breach Cases Caused by Poor IT Disposal Practices

Real-world data breach cases that show why secure IT disposal is non-negotiable for any modern business.

Improper IT disposal doesn't just harm the environment - it can cost companies millions in fines, lawsuits and reputational damage. When businesses fail to dispose of IT equipment securely, sensitive data can fall into the wrong hands.

In this post, we highlight some of the most well-known data breach cases linked to poor IT asset disposal. These real-world examples are powerful reminders of why secure disposal methods - like degaussing, data wiping and physical destruction - are essential.

1. Health records sold on eBay – NHS Surrey

In 2013, NHS Surrey was fined £200,000 after thousands of patients' sensitive health records were discovered on a second-hand computer purchased from eBay. The breach occurred because the IT contractor hired to dispose of old hardware failed to properly erase the data. Despite claims that the devices had been wiped, many still contained confidential medical information.

This case demonstrates how relying on unverified disposal methods can have serious consequences. Proper degaussing or certified data destruction would have prevented it entirely.

2. Morgan Stanley – employee data compromised

In 2016, Morgan Stanley was fined $60 million by US regulators after decommissioned servers were sold without removing sensitive customer data. An external IT disposal vendor mishandled the process, failing to properly wipe or destroy storage media. As a result, personal data belonging to millions of clients was exposed.

Had degaussing been used, the data would have been rendered completely unreadable. This case highlights the importance of overseeing third-party disposal services and verifying their processes.

3. University of Greenwich – student information leaked

In 2018, the University of Greenwich faced a £120,000 penalty after student data was accidentally made public. While the breach wasn't directly due to hardware disposal, outdated servers and poorly managed legacy systems were to blame.

This is a reminder that disposing of old IT equipment is not just about physical devices - it also includes servers, databases and backup tapes. Without secure decommissioning, institutions leave themselves exposed to attack.

4. Iron Mountain incident – backup tapes go missing

Iron Mountain, a company responsible for secure data storage and disposal, lost backup tapes from several major clients during a transport handover. While encryption was in place, the incident raised questions about chain of custody and risk management.

If those tapes hadn't been encrypted - or worse, if they were recovered by a malicious actor - the resulting breach could have been catastrophic. This case underlines the need to combine physical control with digital erasure methods like degaussing, particularly for magnetic storage.

Why these cases matter to your business

These real-world failures show that data security doesn't end with shutting down a machine. Even one unaccounted-for hard drive, tape or server can cause irreparable damage.

• Peace of mind that data cannot be retrieved.
• Compliance with GDPR and other data protection regulations.
• Protection against reputational loss.

How Premier IT Disposal can help

We offer professional, certified degaussing and secure data destruction services. Our team ensures every storage device is handled properly - erased, destroyed and documented. We work with businesses of all sizes to ensure their IT disposal is 100% secure and environmentally responsible.