Mick Payne remembers the moment the madness of the way we dispose of our data was brought home to him.
The chief operating officer of Techbuyer, an IT asset disposal company in Harrogate, was standing in a large windowless room of a data center in London surrounded by thousands of used hard drives owned by a credit card company. Knowing he could wipe the drives and sell them on, he offered a six-figure sum for all the devices.
The answer was no. Instead, a lorry would be driven up to the site, and the data-storing devices would be dropped inside by authorized security personnel. Then industrial machines would shred them into tiny fragments.
“I walked out and thought, ‘This is absolutely crazy’,” says Payne. “They couldn’t allow the disks to leave the building—despite the fact we could wipe them on-site then sell to a new customer who could make use of them for years to come… It was a complete waste.”
Payne had experienced first-hand the ubiquitous industry practice of shredding data-storing devices.
Every day when you fire off emails, update a Google document, or take a photo, the data generated is not stored in a “cloud” as the metaphor suggests. Instead it is stowed across several of the world’s estimated 70 million servers, each one a steel box about the size of a kitchen sink, made up of all sorts of precious metals, critical minerals, and plastics.
The servers contain several data-storing devices, each roughly the size of a VCR tape. They sit inside the world’s 23,000 data centers, some of which span floorspace equivalent to dozens of Olympic-sized swimming pools. When companies decide they want to upgrade their equipment, which usually happens every three to five years, data storing devices are routinely destroyed in a process like the one Payne described.
Companies such as Amazon and Microsoft, as well as banks, police services, and government departments, shred millions of data-storing devices each year, the Financial Times has learnt through interviews with more than 30 people who work in and around the decommissioning industry and via dozens of freedom of information requests.
This is despite a growing chorus of industry insiders who say there is another, better option to safely dispose of data: using computer software to securely wipe the devices before selling them on the secondary market.
“From a data security perspective, you do not need to shred,” says Felice Alfieri, a European Commission official who co-authored a report about how to make data centers more sustainable and is promoting “data deletion” over device destruction.
The trust problem
Underpinning the reluctance to move away from shredding is the fear that data could leak, triggering fury from customers and huge fines from regulators.
Last month, the US Securities and Exchange Commission fined Morgan Stanley $35 million for an “astonishing” failure to protect customer data, after the bank’s decommissioned servers and hard drives were sold on without being properly wiped by an inexperienced company it had contracted. This was on top of a $60 million fine in 2020 and a $60 million class action settlement reached earlier this year. Some of the hardware containing bank data ended up being auctioned online.
While the incident stemmed from a failure to wipe the devices before selling them on, the bank now mandates that every one of its data-storing devices is destroyed—the vast majority on site. This approach is widespread.
One employee at Amazon Web Services, who spoke on condition of anonymity, explained that the company shreds every single data-storing device once it is deemed obsolete, usually after three to five years of use: “If we let one [piece of data] slip through, we lose the trust of our customers.” Amazon declined to comment.