IT Asset Disposal in 2025: What Blancco's Data Sanitization Report Really Means for Your ITAD Program

Blancco surveyed 2,000 IT, cybersecurity, data center, and sustainability leaders worldwide to understand how organizations retire hardware and erase data, what it costs, and where gaps remain.

• Breach & leak reality check: 86% of enterprises experienced a data breach in the last three years and 73% experienced a data leak, often accidental. Common causes include phishing (54%) and improper network configuration (46%), with stolen devices (41%) still a major factor.
• Stolen devices beat ransomware: Stolen drives and devices are now a more common cause of data loss than ransomware or stolen credentials, a stark reminder that physical risk is security risk.
• Residual data at redeploy: For 17% of respondents that suffered compromise, redeployed devices or drives still held sensitive data from prior use, an ITAD red flag.
• Classification is lagging: On average, less than 21% of enterprise data is classified, making timely destruction and retention enforcement difficult.

The report highlights 144 countries with data privacy/protection laws and 20 U.S. states with comprehensive privacy statutes, driving tangible shifts in EOL practices. Budgets are following suit: 58% of enterprises increased spend on privacy/protection compliance in the past year, by an average of 46% (and 71% in North America).

AI also complicates the picture. As organizations adopt tools like Microsoft Copilot and internal LLMs, they refresh endpoints and storage while rethinking retention to ensure training data is accurate, lawful, and erasable at EOL. Blancco notes AI’s mixed impact: many say it’s helping define retention rules and reduce ROT data, while others report the opposite, more ROT and complexity.

Sustainability adds a third axis. New ESG mandates pressure teams to curb e‑waste without compromising security. Yet up to 47% of devices destroyed for “security” were still functional, and a notable share of assets are refurbished without certified erasure, about 25% of laptops/desktops and 19% of data center assets. This combination inflates both risk and emissions.

The standards community is pushing toward “sanitize first, destroy when necessary”:

• NIST SP 800‑88 Rev.1 defines sanitization as rendering access to target data infeasible and lays out Clear, Purge, and Destroy with verification guidance.
• IEEE 2883‑2022 adds technology‑specific requirements for sanitizing logical and physical storage and formalizes verification and documentation expectations.
• ISO/IEC 27040:2024 provides end‑to‑end guidance across the storage lifecycle, including end‑of‑use and end‑of‑life considerations.

Used together, these frameworks enable organizations to retain more devices for redeployment (with auditable erasure) and reserve physical destruction for cases where sanitization is impractical or risk‑inappropriate.

1. Policy anchored in standards: Codify NIST 800‑88 methods and map them to IEEE 2883 verification requirements; reference ISO/IEC 27040 for architecture, roles, and controls across the storage lifecycle.
2. Classify to minimize: With less than 21% of data classified on average, prioritize data classification, set retention clocks, and enforce deletion to shrink your attack and ITAD surface.
3. Erase by default, destroy by exception: Favor certified erasure for functional devices and document cryptographic erase for SEDs when appropriate; destroy only when media is non‑functional or policy demands it.
4. Proof, or it didn’t happen: Require tamper‑evident chain of custody, device‑level erasure reports, and independent audit trails from ITAD providers.
5. Track the sustainability ledger: Measure avoided e‑waste and CO₂e from redeployment vs. destruction to feed ESG reporting.
6. Align security, IT, and sustainability: Most organizations say sustainability now strongly impacts disposal decisions, lean into that momentum with a joint RACI (Responsible, Accountable, Consulted, and Informed).

References

• Blancco, 2025 State of Data Sanitization Report
• NIST SP 800‑88 Rev.1, Guidelines for Media Sanitization
• IEEE 2883‑2022, Standard for Sanitizing Storage
• ISO/IEC 27040:2024, Information technology—Security techniques—Storage security

Book a secure ITAD collection today and get audit‑proof reports.