Financial giant Morgan Stanley may have recently learned a valuable lesson about money, IT disposal, data, and the importance of due diligence. This lesson was hopefully learned when the U.S. Securities and Exchange Commission settled charges against Morgan Stanley Smith Barney (MSSB) for failing to protect the personal identifying information of their customers. Around 15 million of them. MSSB agreed to pay $35 million (this is on top of additional costs and fines) to settle the allegations that they failed to properly dispose of hard drives and servers containing customer’s personal data.
Where did things go wrong? A few places. Let’s dive in, and then we’ll review the mistakes at the end.
In 2016, Morgan Stanley hired a moving and storage company, Triple Crown, to decommission IT assets from two data centers. It was known that Triple Crown was strictly a moving company and not experienced with electronic data destruction. Some of the hard drives were later found on an internet auction site with customers’ personal data still stored within.
The contract with Triple Crown identified an unnamed e-scrap management company that would sanitize the devices and resell them for a commission, with Morgan Stanley obtaining a cut.
Triple Crown stopped working with the unidentified company and sold the devices to a reputable and certified IT asset disposal company, without Morgan Stanley’s knowledge. When Triple Crown sold the equipment, they said that the devices had been wiped clean. Except they weren’t.
Why did Triple Crown say that? Maybe they thought it was true. This wasn’t their line of expertise. Or maybe they knew they’d make more money by requiring less services from the sale of the devices. Maybe they had NO idea how much trouble Morgan Stanley would have if/when their customer’s data got out. Either way, they IT asset disposal company resold the devises to KruseCom, who sold some of them on an auction site. Customer personal and financial data were still on those devices.
The SEC also alleged that Morgan Stanley lost track of 42 servers that potentially contained unencrypted customer data when it decommissioned local office and branch servers as part of a hardware refresh program. The devices being decommissioned had been equipped with encryption capability but Morgan Stanley had failed to activate the encryption software.
What can we learn from Morgan Stanley’s VERY expensive lesson? Let’s examine what they did wrong.
Mistake #1 was to use a Moving and Storage company with no experience in IT disposal. Morgan Stanley may not have realized the importance of proper vetting, but industry experience and the knowledge gained by years of experience in proper deinstallation, moving, storage, and disposal of devices that store data (hard drives, servers, copiers, cell phones, computers, etc) would have greatly reduced the chances of this happening.
Mistake #2 happened because Morgan Stanley either thought, or was told, that their devices still had value, and if they contracted with a company that could recoup some of that value, they would save money. And if everything went smoothly, that’s what could have happened. Except it doesn’t always go smoothly. It didn’t go smoothly for them at all, which is why they are now the perfect example of why data destruction is ALWAYS a better option than data wiping.
Mistake #3 also revolves around proper vetting. Not only did Triple Crown not have industry experience, but they also didn’t have IT disposal certifications. The strictest of which, R2 certification, would have ensured that Triple Crown only use other R2 partners, since one of the governing rules of R2 certification is that certified IT disposal companies guards downstream control of the recycling chain.
Mistake #4 could have been avoided in two ways. When Morgan Stanley decommissioned their servers without encrypting the drives, they were carelessly trusting their disposal process and the chain of custody that was to follow. Encrypting the drives would have helped, although the truth is, they still would have been lost during the disposal process. A better option for them, considering the highly sensitive information found on those drives, would have been on-site destruction. The hard drives would never have left their property intact, and NO information would ever have been recoverable.
So what’s the lesson? It’s a pretty simple one.
You can never be too careful.
At least, not when it’s your customer’s information and your reputation on the line. Morgan Stanley wanted to save money on IT disposal by using an inexpensive service and getting some money back for their retired equipment.
In the end, between fines, lawyers, and class action lawsuits, it cost them somewhere around $60 Million. They also suffered from bad publicity and a loss of reputation.
A right choice would have been to partner with an experience, licensed and certified R2 recycler who destroys, rather than wipes and resells, hard drives. This is ONLY way that Morgan Stanley would have been 100% secure, since every device that stored their customer’s information would have been rendered unrecoverable and non-usable.