This kind of oversight, failing to data sanitize retired IT assets, is all too common, and happens to school districts, government agencies, and giant multinational corporations, sometimes actually coming to light and getting highly publicized.
If I had a nickel for every time I posted on this topic, often with a current use case, while working with NextUse over the last 3.5 years, I’d be rich.
These cases are the result of 2 (overly simplified) failures:
1. Organizations inability to do DIY data sanitization on retired IT assets.
2. Organizations inability to select properly qualified vendors with digital data security specialized certifications.
There are thousands of IT Asset Disposition vendors that organizations can work with, many unqualified, quite a few certified for responsible recycling (R2), some with data security specialization (NAID AAA) for non-digital media (paper, etc.) or only to physically destroy digital media (shredding, degaussing, etc.).
There are currently only 6 ITAD vendors in the world, 3 in the US, that have at least 1 facility that have comprehensive certifications to overwrite or physically destroy all types of digital media (HDD, SSD, NVM, etc.), either at their facility or at a client’s facilities, including NextUse.