The $10 Million Problem You’ve Already Created: How Data ROT Is Fueling the Next Cyber Crisis

It’s not the hackers that will sink you. It’s the terabytes of forgotten files, decade-old HR records, and dusty email archives you never bothered to delete. In today’s breach economy, storage is cheap — but every extra gigabyte is another liability waiting to be stolen.

On the latest episode of Data Xposure, Justin Tolman sat down with John Wilson , CISO at HaystackID and a veteran of digital forensics and incident response, to unpack why “data ROT”- redundant, obsolete, or trivial data–has become the most dangerous and least managed risk hiding inside every organization and how organizations are unknowingly stockpiling their own downfall. 

Data ROT: The Breach Multiplier

Wilson has spent decades investigating breaches for governments and Fortune 500s. His verdict is blunt: data ROT is a breach multiplier. A single stolen credential or compromised device is bad enough. But when that attacker stumbles into sprawling archives of unclassified, unnecessary, or poorly protected information, the impact skyrockets.

Consider the AT&T breach, more than 100 million social security numbers, dates of birth, and addresses exposed. The cost of storing those records was negligible. The cost of losing them? Nearly $10 million per incident in the U.S., according to IBM’s 2024 breach report.

Why Attackers Are Winning

The rise of organized, venture-backed threat groups has tilted the economics of cybercrime in the attacker’s favor. “What used to be kids in basements is now billion-dollar syndicates,” Wilson said. “They have the resources to study your systems more carefully than most businesses can defend them.”

Worse, the explosion of IoT devices and cloud storage means sensitive data lives everywhere: from corporate laptops to smart microwaves, from SharePoint drives to forgotten email servers. Every uncontrolled pocket of information is another doorway into the enterprise.

The Compliance Blind Spot

For legal and compliance leaders, the implications are just as dire. Retaining data without clear purpose doesn’t just expand breach impact, it undermines defensibility in litigation and regulatory audits. “Organizations think they understand their data,” Wilson warned. “In every engagement I’ve had, they almost never do. They’re shocked when we show them where sensitive identifiers are duplicated, scattered, and left unprotected.”

Regulators are watching. Plaintiffs’ attorneys are circling. And executives are beginning to realize that “keeping everything” is no longer a safe default, it’s a direct path to exposure.

Where to Start: Kill the Data ROT

Wilson’s advice is deceptively simple: kill the data ROT.

Start with data mapping. Know where your personally identifiable information (PII), health records (PHI), and financial data actually sit — not just where policies say they’re supposed to be. Then make hard decisions: if you don’t need it for business or regulatory reasons, eliminate it. If you do need it, anonymize or pseudonymize it.

As Wilson put it: “The cost of storing the data isn’t the problem anymore. The real cost is in the risk you’re creating by keeping it.”

The Bottom Line

Cybersecurity leaders often obsess over firewalls, threat detection, and zero trust. Those matter. But if your organization is drowning in outdated, unnecessary data, you’re building your house on quicksand.

The cheapest, fastest way to cut risk isn’t buying another tool — it’s cleaning up your own backyard.

Because in 2025, the real question isn’t if your data will be breached. It’s how much unnecessary damage you’ve set yourself up for when it happens.

Listen to the full conversation with John Wilson on Data Xposure here.

Click to Subscribe.