Sounds like a resourceful IT tech
I'll take pause to not outright convict the accused. There was a window of time where this was perfectly acceptable.
Roll back to the days before dumpster divers and previously used drives on eBay. Often old computers simply went in "the bin" as the concept of "e-waste" wasn't created yet. But also at a time current enough where the "everything must be under warranty" equipment policy was in place.
There was a lot of good serviceable kit that got replaced before its time, and no one cared where the old stuff went. It was actually pretty common to re-purpose old kit in to non-critical systems. Yes, sometimes that was home systems. Often it was on-site test systems. Think of the next big software or OS upgrade. What better way to test in non-prod than by using the previous prod systems? Especially in a budget tight IT environment where funding for non-prod testing is non-existent.
It is entirely possible, if not probable, that someone said to junk the old system. No one understood the security risks in doing so. Computers were mysterious widgets to a lot of people. From their perspective, taking the hard drive out of an old computer was no different than a janitor taking the electric motor out of the old vacuum cleaner they just replaced.
Certainly in the context of our modern data security & privacy arena this is a heinous act worthy of termination & criminal action. But there was a time a few decades back where it was just normal good practice for IT techs to reclaim & repurpose old kit that still had some service life left.