First rule of hard drives: wipe the drives before getting rid of them.
It’s not necessarily every day a major firm creates a complete mess of their customer data. But it did happen with the investment firm Morgan Stanley Wealth Management (at the time known as Morgan Stanley Smith Barney). And it’s such a mess that the SEC has launched an investigation into the situation.
For a 5 year period starting in 2015, Morgan Stanley contracted a moving and storage company to discard their decommissioned hard drives. There were just three problems with this course of action:
- Morgan Stanley did not so much as attempt to wipe the drives of customer data (possibly their biggest mistake in the whole affair)
- Morgan Stanley did not encrypt any of the data on these drives at any point
- The company they hired had “no experience or expertise in data destruction services,” (according to the SEC)
While those first two are the biggest point of failure, here, the last is perhaps the most important. The SEC found that the company didn’t bother to wipe the drives, either. Even worse, they simply sold the drives to a third party, which in turn auctioned the drives off with that customer data intact. Most of the drives sold in this fashion are still unrecovered. As the SEC states:
A records reconciliation exercise undertaken by the firm during this decommissioning process revealed that 42 servers, all potentially containing unencrypted customer PII and consumer report information, were missing. Moreover, during this process, MSSB also learned that the local devices being decommissioned had been equipped with encryption capability, but that the firm had failed to activate the encryption software for years.
To put it bluntly, Gurbir S. Grewal, Director of the SEC’s Enforcement Division, was appalled:
MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.
Gurbir S. Grewal
We legitimately live in a world where an investment firm has a lower level of infosec than Ted.
Source: PC Mag