top of page

Blancco Report Sheds Light on FIs' Sensitive Data Management

  • Writer: Roy Urrico
    Roy Urrico
  • Nov 7
  • 4 min read

By Roy Urrico


ree

 

Eighty-two percent of financial services organizations experienced a data breach via cyberattack, a data leak, or an unintentional exposure of sensitive data in the past year, according to Blancco’s 2025 Financial Services State of Data Sanitization Report. Within the financial services sector, stolen devices and drives contributed to 43% of those breaches or leaks.

 

The Boston-based Blancco, which provides data erasure and mobile lifecycle solutions, focused on how the financial services sector faces intensifying pressures related to the management of sensitive data stemming from increasing cyberthreats and regulations.


 Blancco CEO Lou DiFruscio.
 Blancco CEO Lou DiFruscio.

“Financial services organizations manage some of the most sensitive and high-value data of any industry, making the sector a prime target for cyberattacks and placing significant demands on data security and governance,” said Blancco CEO Lou DiFruscio. “Our report provides a glimpse into how the cybersecurity landscape, evolving regulations, advancements in AI (artificial intelligence), and sustainability goals are shaping the way that financial institutions manage and dispose of their data today.”

 

Blancco’s 2025 Financial Services State of Data Sanitization Report is based on a global survey of 250 decision makers at large financial services organizations of over 5,000 employees.

 

Finservs Face Intensifying Pressure


Within the financial services sector, over a third of those breached experienced customer loss (37%), with additional impacts including declines in customer revenue (40%) and share prices (36%), according to the Blancco report. Additionally, fines, operational downtime, ransom payments, and legal expenses further intensified the damage.

 

The Blancco report also noted legally mandated “know your customer” (KYC) and anti-money laundering (AML) policies require collecting and retaining data for fixed timeframes. “Yet getting rid of that data when retention requirements expire is critical to protecting business and client data. That is why data regulations often include data destruction and minimization requirements.” These requirements can come from:


  • General regulations like the General Data Protection Regulation (GDPR), a European Union law that provides stringent data privacy and security protections, that also include requirements for proper data disposition, reinforcing the importance of securely deleting data once it is no longer needed.

  • Global financial services standards, such as the Payment Card Industry Data Security Standard (PCI DSS)

  • A range of regional legislation such as the Fair and Accurate Credit Transactions Act (FACTA) in the U.S. and regulations from the Center for Financial Industry Information Systems (FISC) in Japan.


Credit Union Needs


“Credit unions handle vast amounts of sensitive member information, from financial records to personally identifiable data, making the proper disposal and immediate sanitization of used IT devices a critical security priority,” Russ Ernst, CTO at Blancco, told Finopotamus. “When laptops, servers, or storage drives are retired without verified and auditable data erasure, they can become gateways for data breaches, identity theft, and regulatory violations.”

Russ Ernst, CTO at Blancco.
Russ Ernst, CTO at Blancco.

Ernst continued, “Safeguarding these assets is about more than just protecting hardware, it’s about maintaining compliance with privacy laws, upholding integrity, and preserving member trust that sets credit unions apart from larger financial institutions.”


Maintaining custody of used IT devices on premises adds an essential layer of control and accountability to data security, explained Ernst. “By protecting retired hardware while it remains within the credit union’s physical environment and making sure data is properly sanitized, institutions can significantly reduce the risk of loss, theft, or unauthorized access during transit or third-party handling. This practice ensures a clear chain of custody, strengthens compliance with data protection standards, and reinforces the credit union’s commitment to safeguarding member information at every stage of the device lifecycle.”


Additional Findings


The report also observed:


  • The importance of proper data sanitization and compliance with regulations and emerging technical standards, as well as the need to reconsider end-of-life data and device disposal strategies amid evolving risks and new advancements in AI.

  • The vast majority of financial services sector respondents – 86% – said their organizations have deployed some form of AI. However, around a quarter said AI adoption made it more difficult to achieve regulatory compliance and nearly 30% reported increased collection of redundant, obsolete and trivial data.

  • Overall, 60% of financial services organizations increased their compliance spending in the past year—by an average of 47%. Not only is this sector affected by general data privacy laws; new compliance requirements are often industry-specific, and sometimes apply only to a subset of the sector, such as organizations regulated by the U.S. Securities and Exchange Commission (SEC).

  • Adoption of modern sanitization standards remains low. Only one in five respondents shared that their organization requires compliance with the two most prominent data sanitization standards: NIST SP 800-88 Rev 1 (the National Institute for Standards and Technology Guidelines for Media Sanitization,”), 21%; and IEEE 2883 (from the Institute of Electrical and Electronics Engineers), 19%, both of which support media reuse after proper sanitization. “Low adoption of these standards creates unnecessary risk, added cost, and waste in the financial services sector.”

  • Organizations unnecessarily destroy nearly half of functional devices. “Many financial institutions default to physical destruction when retiring hardware. A significant share of these devices—up to 47% for data center assets—were still operational at the time of destruction, unnecessarily increasing e-waste and replacement costs” observed the Blancco report. However, because it is possible to securely refurbish functional devices, revising policies would cut down on waste, increase efficiency, and even provide options for improved chain-of-custody safeguards for additional risk reduction.”

bottom of page