News Morgan Stanley Fined $35 Million for Not Encrypting HDDs, Servers

[Admin]

Morgan Stanley to pay $35 million for not protecting personal identifying information.

Morgan Stanley Fined $35 Million for Not Encrypting HDDs, Servers : Read more

 

[velocityg4]

I guess that's one less ivory backscratcher for each of the executives this year. Government fines for big companies are stuck in a 1950's mindset of what constitutes big fines. Now it can be a lot cheaper to just pay the fine than do things right. Add another zero or two and they'd really have felt the burn. $35 Mil probably hurts them as much as me getting a six pack of decent beer.

 

[Eximo]

"We shredded the paper files, what more do they want"?

Or

"I put my secretary in charge of it, blame her!"

 

[waltc3]

I don't use Morgan Stanley for other reasons, but this is just complete negligence! Should have been a $350M fine. It runs with what I've seen from Morgan Stanley before. I don't care for the philosophy of this company, which often puts dumb politics ahead of business, imo.

 

[Makaveli]

I agree that fine is joke, they will make back 35 million probably less than 24 hours.

Even a complete moron knows you have to properly wipe hard drives and even more so when they have client data on them.

 

[Sippincider]

"We shredded the paper files, what more do they want"?

Or

"I put my secretary in charge of it, blame her!"

OR...

"I found this outfit on the Internet that'll do it for a fraction the price of everyone else! And all 5-star reviews on social media too!"

 

[coromonadalix]

Take a dril and punch a hole 30 seconds to 1 minute ....easy ??? or take a good ol hammer and have fun with it ??

 

[helper800]

Take a dril and punch a hole 30 seconds to 1 minute ....easy ??? or take a good ol hammer and have fun with it ??

That is not enough of a complete destruction to safeguard the information on the drive when left unencrypted or otherwise. You essentially need to melt down the platters and shred the circuit boards in the HDDs to completely annul the data from them destructively. Even then its as simple as removing all PCBs and chucking them all in a furnace and throwing the PCBs into one of those large object shredders.

 

[USAFRet]

That is not enough of a complete destruction to safeguard the information on the drive when left unencrypted or otherwise. You essentially need to melt down the platters and shred the circuit boards in the HDDs to completely annul the data from them destructively. Even then its as simple as removing all PCBs and chucking them all in a furnace and throwing the PCBs into one of those large object shredders.

Naa, just throw the whole drive in.
We have shredders that turn physical drives into basically dust.

But the problem isn't how to dispose, but rather that the data wasn't encrypted.

 

[helper800]

Naa, just throw the whole drive in.
We have shredders that turn physical drives into basically dust.

But the problem isn't how to dispose, but rather that the data wasn't encrypted.

Well it depends on what the industrial shredder is ratted to do. If it is ratted at 2x2 inch reduction for a hard drive isn't that technically unsafe to leave such large peices of a platter? However if you can turn a hardrive into millimeter sized pellets then it would be safe for sure. I am more familiar to the way I have done it in the past which is to dump all the platters into a furnace and melting them into a clump. There is no retrieving that. I would liken shredding to paper shredders, there is a possibility of patching it back together and stealing the data depending on shred size. Incineration on the other hand is significantly harder to come back from. I was replying specifically to the minimum destructive process to render a drive unrecoverable.

 

[TJ Hooker]

That is not enough of a complete destruction to safeguard the information on the drive when left unencrypted or otherwise. You essentially need to melt down the platters and shred the circuit boards in the HDDs to completely annul the data from them destructively. Even then its as simple as removing all PCBs and chucking them all in a furnace and throwing the PCBs into one of those large object shredders.

Unless you're trying to protect against targeted data harvesting by well-funded (e.g. state-sponsored) actors, drilling a hole is probably fine.

Edit: I have no idea if drilling a hole is sufficient in terms of the legal requirements for a company to protect your data though.

 

[NatalieEGH]

Excuse me but unless there is a LAW or REGULATION requiring the data to be erased before disposal or requirement the disposal company used erases the data, this fine should not take place.

I worked as a systems programmer for A. G. Edwards and Sons. It was an extremely conservative company with the policy that the customers ALWAYS came first where money was concerned. All errors were adjudicated in the favor of the investor. For the first time since leaving the USMC, I was actually PROUD of who I worked for and was associated with because of that corporate attitude. I worked closely with the people that maintained the disks for data including customer data. So I know a bit about situations like Morgan and Stanley.

Yes, we erased but I believe that was our corporate policy not a requirement.

If customer data was accessed that should at most be a CIVIL matter not an SEC matter. The SEC is not there to monitor protection of data. The SEC is there to insure fair trading of stocks and reporting of corporate status so investors can buy or sell with all knowing (or having access to information so could know) the same information. I considered our company like the back end for bookies (the brokers). Our researchers followed the various companies and provided information for the brokers (kind of setting the odds) so they could advise our customers. As long as a brokerage is correctly advising customers based on the customer goals and the brokerage is correctly maintaining accounts based on customer investment wishes, it should not be an SEC matter. (The advising is not so critical, rather not giving bad advice. I know there are now some brokerages that just handle buys and sells and give NO advice at all. I would not use one, but then rarely I do wish to do all the research.)

I do not know if the SEC fine limits civil action, prevents civil action, or increases the chance and success of civil action. But again I say this is a CIVIL matter unless laws and regulations have changed.

 

[USAFRet]

Excuse me but unless there is a LAW or REGULATION requiring the data to be erased before disposal or requirement the disposal company used erases the data, this fine should not take place.

"The commission also found out that in several cases, Morgan Stanley contracted a "moving and storage company with no experience or expertise in data destruction services" to retire thousands of HDDs and servers containing the personal information of millions of its clients. Instead of destroying the drives and server, the company sold them to a third party, which sold them on an Internet auction. "

So all YOUR personal data....sold at auction.

The SEC IS one of the entities that should be regulating this.

 

[NatalieEGH]

Well it depends on what the industrial shredder is ratted to do. If it is ratted at 2x2 inch reduction for a hard drive isn't that technically unsafe to leave such large peices of a platter? However if you can turn a hardrive into millimeter sized pellets then it would be safe for sure. I am more familiar to the way I have done it in the past which is to dump all the platters into a furnace and melting them into a clump. There is no retrieving that. I would liken shredding to paper shredders, there is a possibility of patching it back together and stealing the data depending on shred size. Incineration on the other hand is significantly harder to come back from. I was replying specifically to the minimum destructive process to render a drive unrecoverable.

It would basically be impossible to use a platter chopped into 2x2 inch squares. That would almost assuredly bend the squares. Data density is so great the heads of a hard drive must float at a few microns above a platter. Any distortion will cause the heads to actually crash into and potentially get stuck in the platter (I have actually seen a platter with a head that crashed into it and was stuck yanked free from the arm). A head floating any higher would be unable to isolate the data bit at a single point from the data in the field within range of the magnetic sensor on the head. To give a comparison, you are at a rock concert with the music blasting out and you significant other tries to whisper something to you form a foot away. The comments are buried in all the other noise. Each individual bit is buried in the noise.

Melting is overkill.

If I had a BUNCH of disks to replace with customer information, I would just get a cabinet with multiple drive slots (they come up to sixteen 3.5 in HDD cabinet for consumers and SuperMicro has a ninety (90) 3.5 HDD 4U server tray). I would have my computer connected to the cabinet or tray and simply do a secure erase. A secure erase is considered sufficient for USA government top secret sensitive compartmentalized information and nuclear weapons information. It should be good enough for any business. A secure erase writes over the data 10 times, first with all 1's, then all 0's, then several patterns , then random, then a final all 0's. This leaves the disk viable for resale. If you really feel more is needed, just run the secure erase again. If many disks are replaced the funds from the resale will easily pay the employee's salary or pay (part-time). If only a few, it can be done as an additional responsibility of an IT person for instance changing out the disks when come to work, when go home, and at lunch.

 

[USAFRet]

Data density is so great the heads of a hard drive must float at a few microns above a platter.

You're off by a few zeros.
About 3 nanometers, not microns.