Blancco Report: 82% of Financial Services Organizations Experienced Breaches in Past Year — 43% of Incidents Linked to Stolen Hardware

Blancco Technology Group, the industry standard in data erasure and mobile lifecycle solutions, released a new report that shows the financial services sector is facing intensifying pressures related to the management of sensitive data amidst relentless cyberthreats and a growing web of regulations.

Blancco’s2025 Financial Services State of Data Sanitization Report is based on a global survey of 250 decision makers at large financial services organizations of over 5,000 employees. According to Blancco’s report, 82% of financial services organizations have suffered a data breach via cyberattack, or a data leak, an unintentional exposure of sensitive data, in the past year.

Within the financial services sector, 43% of breaches or leaks were attributed to stolen devices and drives. Over a third of those breached experienced customer loss (37%), with additional impacts including declines in customer revenue (40%) and share prices (36%) –  fines, operational downtime, ransom payments, and legal expenses further intensified the damage.

“Financial services organizations manage some of the most sensitive and high-value data of any industry, making the sector a prime target for cyberattacks and placing significant demands on data security and governance,” said Blancco Chief Executive Officer Lou DiFruscio. “Our report provides a glimpse into how the cybersecurity landscape, evolving regulations, advancements in AI, and sustainability goals are shaping the way that financial institutions manage and dispose of their data today.”

In highly regulated industries, holding on to more data than necessary can increase both risk and liability, as more data is accessed by threat actors. For example, in the financial services sector, legally required “Know Your Customer” (KYC) and anti-money laundering (AML) policies mandate data retention for set periods, and timely deletion after those periods is crucial for protecting business and client information. Broader regulations such as the General Data Protection Regulation (GDPR) also include requirements for proper data disposition, reinforcing the importance of securely deleting data once it is no longer needed.

Additional findings in the report also examine the importance of proper data sanitization and compliance with regulations and emerging technical standards, as well as the need to rethink end-of-life data and device disposal strategies amid evolving risks and new advancements in AI:

• Overall, 60% of financial services organizations increased their compliance spending in the past year—by an average of 47%.Not only is this sector impacted by general data privacy laws, new compliance requirements are often industry-specific, like PCI DSS updates, and sometimes apply only to a subset of the sector, such as organizations regulated by the U.S. Securities and Exchange Commission (SEC).
• Adoption of modern sanitization standards remains low; meanwhile, nearly half of functional devices are destroyed unnecessarily. Only one in five respondents shared that their organization requires compliance with the two most prominent data sanitization standards: NIST SP 800-88 Rev 1 (21%) and IEEE 2883 (19%), both of which support media reuse after proper sanitization. Low adoption of these standards creates unnecessary risk, added cost, and waste in the financial services sector.
• The vast majority – 86% – of financial services sector respondents said their organizations have deployed some form of AI.However, around a quarter said AI adoption made it more difficult to achieve regulatory compliance and nearly 30% reported increased collection of redundant, obsolete and trivial (ROT) data.

For additional context and findings, the full report is available here.

Research Methodology:

Blancco commissioned independent research agency Coleman Parkes to survey 250 IT and sustainability leaders at large financial service providers of over 5,000 employees. Respondents were split between North America, Europe (UK, France, and Germany) and APAC (Japan, Singapore, India, and Australia). Fieldwork took place in February and March 2025.