What IT managers, CFOs, and compliance officers need to know about the data risk sitting in your retired hardware, and what to do about it.

Right now, somewhere in your organisation’s past, there is a decommissioned laptop sitting in a storage room. A server that was replaced three refresh cycles ago. A stack of hard drives from a migration project that never quite got wrapped up. A batch of mobile devices from staff who left during the pandemic.

None of them are on your network. None of them are in your threat monitoring. And according to the data, there is a strong chance several of them still contain recoverable sensitive information.

This is the ITAD problem. And most Australian organisations are not taking it seriously enough.

 

Let’s start with an uncomfortable truth

Australia recorded a staggering 1,113 notifiable data breaches in 2024, according to the Office of the Australian Information Commissioner (OAIC). That is a 25% increase on 2023, and the highest annual total since the Notifiable Data Breaches scheme began in 2018. Malicious attacks accounted for 69% of those breaches in the second half of the year alone. With the OAIC signalling continued enforcement focus in 2026 and the Privacy Act amendments now in effect, the pressure on organisations to demonstrate proper data handling is only increasing.

And yet, when most organisations think about data security, they think about their live systems. Their firewall. Their endpoint protection. Their cloud access controls. What they are not thinking about is the hardware that left their environment six months ago, and whether the data on it left with it.

Australia’s own cybersecurity authority has a clear view on this. The ASD’s Annual Cyber Threat Report 2024–2025 lists replacing legacy IT as one of four critical actions businesses must take to protect themselves. Not a recommendation. A priority action.

1,113
Notifiable data breaches reported in Australia in 2024, the highest annual total on record
Source: OAIC, 2024
25%
Increase in reported data breaches from 2023 to 2024, driven largely by malicious attacks
Source: OAIC, 2024
59%
Of second-hand hard drives studied contain recoverable data, despite appearing wiped or formatted
Source: University of Hertfordshire research
60%+
Of Australian cybersecurity leaders have experienced incidents linked to unknown or unmanaged assets
Source: Trend Micro, 2025

 

What exactly is the risk in legacy IT assets?

The misconception that makes this problem so persistent is a simple one: if a device is off the network, it cannot hurt you. That is not true.

Data does not disappear when a device is switched off. It does not disappear when a device is reformatted. It does not even disappear when a device is sold, donated, or quietly dropped in a skip. Without certified data destruction, the data is still there, often recoverable with widely available tools.

A 2025 case in the Netherlands put this in sharp relief. A buyer purchased hard drives at a market for the equivalent of a few dollars each. On them: 500 gigabytes of sensitive medical data. The devices had, presumably, been considered disposed of. They were not.

Australian research tells a similar story. Studies show that 59% of second-hand drives contain recoverable data even after appearing to have been wiped or formatted. And a 2025 Trend Micro study found that more than 60% of Australian cybersecurity leaders have experienced security incidents linked specifically to unknown or unmanaged assets.

  The devices most likely to carry risk: Hard drives are the obvious concern, but any device that has touched your environment can carry sensitive data, and many are overlooked. Laptops and desktops, decommissioned servers, backup tapes and storage arrays, mobile phones and tablets, printers and multifunction devices (yes, printers store data), networking equipment, CCTV and IoT devices, USB drives and portable media.

 

The compliance exposure is real and growing

Australia’s Privacy Act requires organisations to take reasonable steps to protect personal information, including destroying or de-identifying it when it is no longer needed. Retiring a device without certified data destruction does not satisfy that obligation. And with Australia’s Privacy Act reforms introducing significantly higher penalties, the cost of getting this wrong has never been higher.

The Privacy Act now allows for civil penalties of up to $50 million for serious or repeated privacy breaches by organisations. Individual penalties have also increased substantially. The Office of the Australian Information Commissioner has signalled it intends to use these powers.

The precedent is already set internationally. Morgan Stanley was fined more than USD $163 million for ITAD lapses, specifically for failing to ensure that decommissioned data centre equipment had its data properly destroyed before disposal. The hardware was auctioned off. The data was on it.

$50M
Maximum civil penalty for serious or repeated privacy breaches under Australia’s updated Privacy Act
Source: Australian Privacy Act (amended)
$163M+
Fine issued to Morgan Stanley for ITAD failures. Decommissioned servers were auctioned with data intact
Source: US regulatory action
$4.26M
Average cost of a data breach to an Australian business in 2024, according to IBM’s Cost of a Data Breach report
69%
Of data breaches in H2 2024 in Australia were caused by malicious attacks, not accidents

 

Why legacy IT assets are a particularly attractive target

Retired IT assets sit in a blind spot that most security programs do not cover. They are off the network, so they are not monitored. They are out of the refresh cycle, so they are not actively managed. And they are often handled by people who are not security specialists: facilities teams, junior IT staff, third-party contractors with no visibility into what data those devices once held.

That combination makes them exactly the kind of asset that ends up in the wrong hands. Devices are sold through secondary markets. Donated to charities that resell them. Sent to unverified recyclers. Left in storage rooms that are eventually cleared out without due process. And in each of those scenarios, the data travels with the device.

The ASD’s Cyber Threat Report is unambiguous: legacy systems present elevated risk because they often lack modern security controls, are deprioritised for patching, and fall outside normal monitoring regimes. In the context of ITAD, that means the data on them is exposed long before anyone notices.

  The “delete and reformat” myth: Simply deleting files or performing a factory reset does not erase data. Modern data recovery tools can retrieve information from devices that have been formatted, restored to factory settings, or even partially physically damaged. Certified data destruction, whether through verified software wiping to NIST 800-88 standards or physical destruction, is the only reliable method of ensuring data is unrecoverable. If you cannot produce a certificate of destruction, you cannot prove the data is gone.

 

What good ITAD looks like

ITAD (IT Asset Disposition) is the structured, secure, and auditable process of retiring end-of-life IT equipment. Done properly, it covers the full lifecycle from the moment a device is flagged for decommissioning to the point at which you hold a verified certificate of data destruction and an environmental disposal record.

The components of a credible ITAD program include:

  • Asset inventory and collection: every device identified, catalogued, and collected under a documented chain of custody
  • Data destruction: certified wiping to recognised standards (NIST 800-88, DoD 5220.22-M) or physical destruction for devices where wiping is not sufficient
  • Certificate of destruction: a verifiable, auditable record for every device, by serial number
  • Remarketing or recycling: responsible resale or component recovery where devices retain value, and certified e-waste recycling where they do not
  • Reporting: full chain-of-custody documentation for compliance and audit purposes

The critical word throughout is certified. An ITAD provider that cannot produce per-device certificates of destruction is not providing ITAD. They are providing collection, and the data risk remains entirely with you.

  What to look for in an ITAD provider: Chain-of-custody documentation from collection to destruction. Per-device certificates of data destruction. Recognised destruction standards (NIST 800-88, DoD 5220.22-M). Secure, monitored transport and processing facilities. Compliance with Australian e-waste and environmental regulations. Experience across all device types: laptops, desktops, servers, and everything in between.

 

The e-waste dimension is not optional either

Data security is the most urgent reason to take ITAD seriously. But it is not the only one. Australia’s Product Stewardship Act and the National Television and Computer Recycling Scheme (NTCRS) set obligations around how electronic waste is handled and reported. Dumping retired IT equipment, even through legitimate general waste channels, creates legal exposure beyond the privacy risk.

The global ITAD market reflects how seriously this is being taken. Valued at approximately USD $17.5 billion in 2025, it is projected to reach USD $40 billion by 2035, growing at nearly 9% annually. This is not a niche service category. It is a core element of IT lifecycle management that responsible organisations are building into their operating model.

 

Questions worth asking in your next leadership meeting

If you are a CFO, IT manager, or compliance officer, the following questions are worth having answers to before your next audit, or before a breach forces you to answer them under very different circumstances.

  • Do we have a complete, current inventory of all IT assets, including devices that have been decommissioned in the last three years?
  • Can we produce a certificate of data destruction for every device we have retired?
  • Who handled the disposal of our last refresh cycle, and what documentation did they provide?
  • Do we have a formal ITAD policy, or are we relying on informal processes and individual judgment?
  • Are our third-party IT service providers, including managed service providers, disposing of devices on our behalf, and if so, how?
  • What is our exposure if a retired device containing customer or employee data is found on the secondary market?

If the honest answer to any of those questions is “I am not sure,” the risk is live. It just has not surfaced yet.

57%
Of used mobile devices purchased from secondary markets contain residual data, even after apparent wiping
Source: Blancco / Kroll Ontrack study
75%
Of used hard drives purchased from online secondary markets contain recoverable residual data
Source: Blancco / Kroll Ontrack study

 

How ZircoDATA approaches ITAD

ZircoDATA’s ITAD services are built around one principle: the data risk sits with the organisation until it can be proven otherwise. That means every engagement starts with asset identification, proceeds through certified data destruction, and ends with auditable documentation that holds up to regulatory scrutiny.

Our services cover the full scope of end-of-life IT assets:

  • IT Asset Disposal: secure collection, processing, and disposition of retired hardware across all device types
  • Data Destruction: certified wiping and physical destruction with per-device certificates of destruction
  • E-Waste Collection and Recycling: compliant disposal and materials recovery that meets Australian environmental obligations
  • Asset Relocation: secure movement of IT assets between sites, with full chain of custody maintained throughout

We work across Australia with organisations in finance, healthcare, government, legal, and education, sectors where the consequences of a data breach extend well beyond the financial. If you are managing a technology refresh, a data centre migration, or simply have a backlog of unprocessed retired assets, we can help you clear it properly.

The data risk in your legacy IT assets is manageable. But it requires action.

ZircoDATA provides certified ITAD services across Australia: secure, auditable, and fully documented from collection to certificate of destruction.

Get an ITAD quote today or speak to our team about your specific situation.