Companies spend millions to protect their networks, train employees, and secure the cloud. But there’s one blind spot that continues to cause real damage: what happens to data on devices after they’re decommissioned? If your data wiping isn’t secure, certified, and auditable — you’re not just facing a technical issue. You’re facing a financial risk.

The Real Cost of a Data Breach in 2025

According to the IBM Cost of a Data Breach Report 2025, the average global cost of a breach is now $4.44 million, down slightly from last year’s $4.88 million. But in the U.S., the trend is very different: breach costs have reached an all-time high of $10.22 million, driven by regulatory penalties and rising detection.

This is not a hypothetical risk. IBM and the Ponemon Institute analyzed 600 breaches across 17 industries and found that mismanaged data (especially from devices no longer in active use) continues to be a major vulnerability.

Regulatory Pressure Is Rising

Improper data erasure poses significant risks that regulators worldwide now actively enforce. In March 2025, the European Data Protection Board (EDPB) launched an enforcement campaign across 32 countries, focusing on compliance with data erasure requests under Article 17 of the GDPR. Authorities are assessing whether businesses delete data from backups and communicate effectively with data subjects, with fines for non-compliance.

Supervisory authorities are evaluating whether businesses:

• Properly delete data from active systems and backups
• Communicate effectively with data subjects about erasure outcomes
• Maintain audit trails and deletion logs

Companies that fail to meet these obligations face investigations, public scrutiny, and substantial fines.

Global Cases That Show the High Cost of Failure

• KASPR (France – 2025)
  France's CNIL fined KASPR €200,000 for not deleting unlawfully collected data, including contact details of individuals who restricted their visibility. The company was also ordered to delete the data and was penalized under GDPR Articles 5(1)(e), 12, and 14.

• Marriott International (US - 2024)
  The hospitality giant Marriott International agreed to a US $52 million settlement in October 2024 for cumulative breaches dating back to 2014, partly due to inadequate data sanitization practices. 

• EOS Health Honorarmanagement GmbH (Germany - 2024)
  The Hamburg Data Protection Authority fined EOS Health Honorarmanagement GmbH €900,000 for failing to erase personal data after the legally mandated retention period. The debt collection company had kept debtor records for up to five years longer than permitted under the GDPR.

• Morgan Stanley (US - 2022)
  Morgan Stanley was fined $35 million by the SEC for failing to properly erase servers and hard drives that contained the personal data of 15 million clients. The case later escalated into a $60 million class-action settlement due to similar issues. 

Devices Don’t Forget

Decommissioned IT equipment (laptops, mobile phones, servers, storage arrays) often still contains valuable data: customer records, financial data, passwords, contracts, and more. If this data is not properly and permanently erased, it remains at risk of exposure through theft, resale, or misplacement.

And if it leaks? You may face fines of millions, legal action, loss of customer trust, and long-term damage to your reputation.

Where Certainty Matters, Choose Certus

At Certus Software, we empower businesses to effectively manage their data erasure processes, making them simple, secure, and compliant. Our certified solutions guarantee that no data is overlooked, helping you meet regulatory requirements, prevent breaches, and build trust. In today’s world, permanent data erasure is not just an option; it is essential.