Verizon’s annual Data Breach Investigations Report landed this week with a number that should be in every IT manager’s inbox: third-party involvement in breaches jumped 60% year-on-year and now accounts for nearly half of all breaches.
Every vendor with access to your data is a potential breach vector. That includes the company picking up your retired hardware.
The blind spot most organisations miss
When a laptop or server is retired, the hardware leaves your building. The data on the drive does not leave with it unless someone actively removes it. Without verified data sanitisation aligned to NIST 800-88 Rev. 1, that information is intact, readable, and recoverable.
Most IT security programs have tight controls on live systems. Fewer apply the same rigour to decommissioned equipment. That gap is exactly the kind of third-party exposure the Verizon report is now quantifying at scale.
In Victoria, the risk sits inside a larger compliance picture. The state’s e-waste landfill ban has been in effect since 1 July 2019, a necessary step for environmental protection. It also means more hardware is being routed through collection and disposal services, and the data security practices of those services vary considerably.
What proper ITAD documentation looks like
At Electronic Waste Victoria, every asset moves through a documented chain of custody from the moment it is collected. We process storage media against NIST 800-88 Rev. 1, which covers physical destruction, degaussing, and cryptographic erase for SSDs. Every device is tracked through CircularTrack, our chain-of-custody platform, so each step is recorded and auditable.
We align with ISO 27001 for information security management, ISO 14001 for environmental management, and AS/NZS 5377 for the handling of end-of-life electrical and electronic equipment. Full certification is on our roadmap. Our current processes are built to those standards now.
Every asset we process generates a destruction certificate. If an auditor asks for evidence of due diligence, that documentation exists and is complete.
Why this goes beyond compliance
The Verizon DBIR is not a theoretical risk register. It is a record of what actually happened in the past year. Third-party breaches up 60%. Vulnerability exploitation now the leading initial access vector, accounting for one in three breaches. Ransomware climbing to 48% of all incidents.
The organisations in these statistics mostly had policies in place. The failures happened in gaps that were not covered. Retired hardware, handed to a disposal provider without verified sanitisation controls, is one of those gaps.
A recovered hard drive can hold years of correspondence, financial records, HR files, and customer data. Under the Australian Privacy Principles and the Privacy Act, that is an exposure with real regulatory consequences. Under ISO 27001 and any reasonable reading of information security governance, it is a failure that should have been closed before the hardware left the building.
Four questions to ask before signing a disposal contract
- What sanitisation method do you apply to storage media, and does it meet NIST 800-88 Rev. 1?
- Can you provide a per-asset chain-of-custody record?
- What happens to devices that cannot be sanitised, and how is that documented?
- Do you carry professional indemnity cover for data breaches resulting from disposal?
If the answers are vague, that provider is a third-party risk.
The practical takeaway
The 2026 Verizon DBIR is a prompt, not a prediction. Third-party risk is manageable when you work with providers who treat data security as a core process rather than an afterthought.
If you are reviewing your ITAD arrangements, contact Electronic Waste Victoria. We will walk you through our process, provide a sample destruction certificate, or put together a quote for your next decommissioning project.
Source: Verizon 2026 Data Breach Investigations Report (published 20 May 2026). Coverage via Help Net Security.