The financial services sector, managing the world's most sensitive data, is facing an intensifying and often self-inflicted security crisis. The Blancco 2025 Financial Services State of Data Sanitization Report delivers a harsh reality check: 82% of organizations surveyed suffered a data breach or leak within the past year.
The staggering figure confirms that the industry is not just under attack—it is hemorrhaging sensitive data. But what's most alarming is the primary vector for these compromises, which points to a fundamental failure in basic endpoint and data lifecycle management.
When financial services organizations suffer a breach, the prevailing narrative often centers on sophisticated zero-day exploits or intricate phishing campaigns. However, the data in Blancco's report tell a much more prosaic, yet devastating, story: the failure to manage physical devices.
According to the report, 43% of breaches or leaks were attributed to stolen devices and drives. This means nearly half of all data compromises stem from endpoints that walked out the door or were improperly decommissioned. The impacts are severe and measurable:
Customer loss: 37% of breached firms experienced customer attrition.
Revenue and stock decline: 40% saw declines in customer revenue, and 36% saw share price drops.
As Blancco CEO Lou DiFruscio noted, the high-value nature of financial data makes the sector a prime target, demanding high standards of security and governance. The data show that the weakest link is often not the firewall, but the final, manual steps of IT asset disposition.
The CISO mandate must now extend beyond network defense to rigorously securing the physical lifecycle of every data-bearing asset. A breach caused by a stolen drive is an operational failure, not just a cybersecurity one. Teams must implement and audit a strict chain-of-custody process for all devices, including laptops, servers, and external storage, from deployment to destruction.
The financial sector's compliance burden is already immense, driven by broad regulations like GDPR and industry-specific mandates like KYC/AML and PCI DSS. The Blancco report shows that this pressure is translating directly into expenditure, with 60% of organizations increasing compliance spending by an average of 47% over the past year.
Despite this investment, new technologies are adding layers of risk:
AI complicates compliance: A vast majority—86%—of financial services firms have deployed some form of AI. However, a quarter (25%) of respondents reported that AI adoption made it more difficult to achieve regulatory compliance.
The ROT data explosion: Nearly 30% of respondents reported that their AI initiatives increased the collection of Redundant, Obsolete, and Trivial (ROT) data.
The ROT data create a massive, unnecessary liability. Regulatory requirements demand that firms delete data once its legal retention period expires. Retaining ROT data—especially the sensitive data AI is trained on—only increases the attack surface and the potential liability following a breach.
The CISO needs to partner with Legal and Data Governance teams to enforce Data Minimization as a primary security control. If the data aren't needed, they shouldn't exist. Implement automated retention policies that tag and delete ROT data created by AI models, and ensure timely disposal of archived customer data to meet KYC/AML deletion requirements.
The final, critical point of failure revealed by the report is the lack of adherence to internationally recognized data sanitization standards. This failure is directly linked to the issue of stolen or improperly disposed devices.
Effective data sanitization is essential for two reasons: securing the data and enabling asset reuse. Yet, adoption remains dangerously low:
Only 21% require compliance with NIST SP 800-88 Rev 1.
Only 19% require compliance with IEEE 2883.
By failing to mandate these gold-standard protocols, financial institutions are creating unnecessary risk and cost. The report notes that nearly half of functional devices are destroyed unnecessarily because the organization cannot guarantee the data have been securely wiped for reuse. Physical destruction is costly, wasteful, and often unnecessary if proper sanitization is performed.
Security leaders must embed compliance with NIST SP 800-88 Rev 1 or IEEE 2883 into their IT Asset Disposition (ITAD) policies. Mandate the use of certified, verifiable data erasure solutions that provide a tamper-proof audit trail. This single step simultaneously mitigates the risk of data leakage from decommissioned devices, reduces unnecessary destruction costs, and improves auditable compliance with global privacy regulations.
A few snippets from the report:
For those organizations holding on to more data than necessary, both risk and liability can increase as more data are accessed by threat actors. More than a third (35%) of those breached experienced customer loss, along with hits to customer revenue (40%) and share prices (36%). Fines, operational downtime, ransoms, and legal costs also added to the impact.
More than direct attacks: Accidental data leaks caused by human error or process failures are almost as common. Such leaks are slightly more common in the financial sector than elsewhere.
A focus on data security must also apply when used storage devices leave secure environments, whether for repairs or retirement. Nearly 20% of financial services organizations reported leaks from redeployed devices, signaling reliance on inadequate destruction and a lack of data removal verification.
Financial service providers are less proactive than other sectors in removing ROT data, but lead peers in designing and communicating sanitization policies (59% vs. 55%).
A quarter of laptops and a fifth of data center drives are refurbished without certified erasure. This puts financial services organizations that rely on non-certified methods such as free software tools, reformatting, or consumer-level software at great risk. In fact, when it came to listing causes of breaches and leaks, this sector cited redeployed, data-bearing assets as being involved 19% of the time. Like physical destruction, the most stringent erasure methods within NIST SP 800-88 and IEEE 2883 leave data recovery infeasible, even with state-of-the-art techniques. This creates room for securely supporting environmental goals and extracting greater value and longevity from IT assets.
Compliance demands will not ease, and data volumes will only grow, but financial institutions that move beyond regulatory minimums can reduce exposure, reclaim value from hardware, and strengthen trust with customers.
The Blancco report serves as a profound warning: the biggest threats to financial data often lie in the fundamental, unglamorous processes of data governance and asset lifecycle management. It's time to secure the back end of the data process as diligently as the front end.