Old IT hardware stacked on pallets in a dark warehouse, wrapped in plastic and awaiting secure data sanitisation.

The uncomfortable truth: old hardware is still a live cyber risk

Despite huge investments in cybersecurity tools, data breaches from old hardware remain a persistent issue in 2026.

According to the UK Information Commissioner’s Office (ICO), personal data security incidents remain one of the most frequently reported breach categories year after year. A consistent proportion of these relate to loss of devices, improper disposal, or unauthorised disclosure through physical assets rather than live cyber-attacks.

Globally, the picture is similar. The 2025 Verizon Data Breach Investigations Report (DBIR) highlights that human error, mismanagement of assets, and poor control of physical infrastructure continue to contribute materially to breaches.

The takeaway?

Not every breach begins with a hacker.
Many begin with hardware that was assumed to be “safe”.

The 2026 breach pattern: it’s not the hack, it’s the handling

Review of incident reporting across the UK and EU shows a recurring pattern:

  • Devices removed from production but not sanitised
  • Equipment stored without asset tracking
  • Hardware resold without certified erasure
  • Drives formatted rather than securely wiped
  • Networking equipment reset but not sanitised

Under UK GDPR, improper disposal of personal data is still considered a reportable breach.

The ICO has repeatedly fined organisations where personal data was recovered from discarded IT equipment — including hard drives sold on secondary markets containing recoverable data.

The breach often doesn’t occur inside your network.

It occurs after the device leaves it.

Why legacy hardware creates hidden risk

When IT equipment reaches end-of-life, operational focus tends to shift to:

  • Replacement timelines
  • Budget recovery
  • Storage logistics
  • Resale value

But the data remains.

Enterprise storage arrays, SSDs, laptops, servers and even networking devices can retain:

  • Customer data
  • HR records
  • Financial information
  • Credentials
  • Configuration backups
  • Internal infrastructure maps

A simple format or factory reset does not meet regulatory expectations for secure disposal.

And in 2026, regulators expect demonstrable control across the entire data lifecycle — including disposal.

Regulatory expectations: UK and EU context

General Data Protection Regulation (GDPR)

GDPR Article 5 and Article 32 require organisations to implement appropriate technical and organisational measures to protect personal data — including during storage and disposal.

The ICO explicitly states that organisations must ensure secure destruction or erasure of personal data when equipment is disposed of or reused.

Failure to do so can result in:

  • Fines
  • Enforcement notices
  • Mandatory reporting
  • Reputational damage

Improper disposal is not an oversight.
It is non-compliance.

Information Commissioner’s Office (ICO)

The ICO has repeatedly warned organisations about risks linked to redundant hardware. Public enforcement cases over recent years have included recoverable data found on:

  • Sold hard drives
  • Decommissioned servers
  • Disposed laptops

Their guidance is clear: organisations must verify and document secure erasure processes.

What about NIST?

NIST SP 800-88 Rev. 1 remains widely referenced globally for media sanitisation guidance, including in UK policies.

However, while NIST is US-originated, the principle is universal:

  • Clear
  • Purge
  • Destroy

The important factor is not which framework you reference — it is whether your sanitisation approach is robust, documented and auditable.

The networking blind spot

One of the fastest-growing areas of legacy risk in 2026 is networking equipment.

Switches, routers, firewalls and access points frequently store:

  • VPN credentials
  • Admin passwords
  • SSL certificates
  • Network topology data
  • Configuration backups

These devices are often factory-reset and assumed safe.

But without structured sanitisation and verification, sensitive configuration data can remain recoverable.

As organisations expand hybrid infrastructure, exposure via improperly sanitised network devices increases proportionally.

The commercial reality: breaches are expensive

The 2025 IBM Cost of a Data Breach Report estimates the global average cost of a data breach at approximately $4.45 million, with regulatory fines and incident response costs contributing significantly.

For UK organisations, direct costs typically include:

  • Forensic investigations
  • Legal advice
  • ICO reporting
  • Customer notification
  • Increased cyber insurance premiums

In contrast, implementing structured end-of-life sanitisation policies is predictable and controlled.

From a governance perspective, it is one of the simplest risk reductions available.

Data sanitisation is now part of cyber resilience

Modern cyber resilience frameworks include:

  • Backup validation
  • Penetration testing
  • Patch management
  • Incident response planning
  • Supplier risk assessments

Increasingly, they must also include:

End-of-life hardware governance.

Secure data sanitisation should form part of:

  • IT asset lifecycle policy
  • Offboarding processes
  • ESG reporting
  • Supplier due diligence
  • Risk registers

If hardware disposal is not embedded in your governance model, it becomes your weakest control point.

What robust sanitisation looks like in practice

A defensible UK-aligned approach includes:

✔ A documented disposal policy
✔ Clear ownership of decommissioning
✔ Certified erasure processes
✔ Verification and reporting
✔ Chain-of-custody documentation
✔ Independently audited ITAD partners

And critically:

✔ Evidence.

Because in 2026, the question regulators ask is not:

“Did you mean to erase it?”

It is:

“Can you prove that you did?”

The question every organisation should ask

  • Can we evidence secure erasure for devices disposed of in the past 24 months?
  • Are networking devices covered by policy?
  • Do we audit our disposal partners?
  • Is end-of-life hardware included in our cyber risk assessment?

If the answer is unclear, the risk is operational — not theoretical.

Final thought: yesterday’s hardware can become tomorrow’s breach

Cyber security discussions often focus on emerging threats.

But data breaches from old hardware remain a preventable and under-discussed risk in 2026.

Secure data sanitisation is not simply compliance.
It is governance.
It is accountability.
It is resilience.

At JBC Computing, we work with organisations to strengthen end-of-life hardware procedures and implement robust, auditable sanitisation frameworks aligned with UK regulatory expectations.

If you would like to review your current processes, speak to our team today. Click Here