Morgan Stanley didn't wipe their hard drives before giving them to a third party (opens in new tab)

(sec.gov)

90 pointsBenlights3y ago37 comments

37 comments

> "Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”

$35 million fine for 15 million customer's PII. The 'clear message' is that a customer's PII is worth about $2. Meanwhile the customers are on the hook for fraud monitoring in perpetuity.

routerl3y ago

"Punishable by fine" means "legal if you can afford it".

Until living, breathing, actual people face real consequences for this kind of thing, any enforcement actions are just theater.

cyanydeez3y ago

For corporations it means, "make sure there's a line item for the fines"

At least humans are mostly controlled by ethics and morals.

Corporations, not so much.

cyanydeez3y ago

2$ for enforcement.

Isn't like annually worth like $10.

smabie3y ago

Could you sell each customers PII for more than $2 on darkweb? I kinda doubt it, seems like fair fine to me.

psd13y ago

lolwut.

If I cut open your £180k Aston Martin with an angle grinder to steal a pair of sunglasses that I sell in a pub for £10, should my fine be £11?

ShowalkKama3y ago

depends on what data we are talking about but yea, it can easily go for 5-10$ (highly depends on the information we are talking about) especially for financial data

duxup3y ago

I used to visit the data centers of some very large financial institutions.

The SoP at those places was that hard drives from the data center NEVER left the building except through a device that destroyed them…. Their security guards were really into checking for them and etc.

It was a pretty common rule across those banks and etc at that time, and that was quite a while ago.

LinuxBender3y ago

Same. We had a "keep your disk" policy with both HP and Dell. Newer managers and directors hated it because they saw the price-tag and did not understand the incredible value it brought to the sales team when discussing security and privacy. We gained significant confidence from large prospects and customers when they learned we physically shredded disks and logged each serial number. This was in addition to the customer data being encrypted at-rest.

hangonhn3y ago

Same. When I used to work at a hedge the standard procedure was to zero them out first. Then retain the hard drives in a closet. Then someone could come periodically to physically destroy them.

toomuchtodo3y ago

How was the process governed so that drives actually were wiped before going out the door? That’s really the challenge, the humans managing the kit are the weakest link. I do like the comment about drives only able to depart the premises through a shredder.

1 more reply

cm21873y ago

At the same time I heard several stories of people copying the files onto their desktop hard drives and leaving the building with them when lehman went bust.

duxup3y ago

I didn't see any indication that the hard drives from the data center policy had anything to do with drone's laptops coming and going.

To be clear in one building there were a few thousand people working. When I visited myself and maybe a dozen or two dozen other people in the building had access to the data center. Cameras everywhere, appointment verification, IDs, man traps and all.

I'd visit and go up to the doors and passers by would stop to watch "he's going inside..."

Whatever a random drone was doing with their laptop, that's a whole other issue / policy.

It was even more fun at military sites. NOTHING non essential ever left. You, your ID (they held it), your clothing, glasses... that was all that came out, your laptop and any spare parts were left behind every time. If you went to the very special sites... you also made sure nothing was in your car that you didn't want to lose.

2 more replies

baobabKoodaa3y ago

The real mistake in this trainwreck was that Morgan Stanley didn't encrypt their hard drives.

Sebb7673y ago

Fully agreed. People like to complain about disk encryption just being a security theater checkbox in a cloud or datacenter environment, but this is exactly why it is needed.

nikau3y ago

Worth nothing that Morgan Stanley essentially acquired Smith Barney a few years before this issue, so likely procedures were not synced up or ignored due to the integration work going on.

kube-system3y ago

Many devices that a business might throw away in 2015 may not have been devices that supported full disk encryption out of the box.

Li7h3y ago

>Moreover, during this process, MSSB also learned that the local devices being decommissioned had been equipped with encryption capability, but that the firm had failed to activate the encryption software for years.

kadoban3y ago

I've been using fde since like 2005 or so and I'm not even a bank. Seems like they don't have much excuse?

2 more replies

billybuckwheat3y ago

>MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers

Guess the smartest people in the room weren't in the IT department ... Wonder if they chose that moving and storage company because they were a cheaper option.

rizza3y ago

Opinions are my own As someone who works for a large financial institution, THIS SHOULD NEVER HAVE HAPPENED! This could be deeply flawed security and controls processes, a culture of not my problem, their tech leadership being incompetent, or CFO driving CIO/CTO decision making. Either way this is not the sign of a healthy company and the rot likely runs much deeper. You dont make this kind of mistake in this industry at a firm of that size.

advisedwang3y ago

I wonder if the "moving and storage company with no experience or expertise in data destruction" was owned by a relative or friend of a Morgan Stanley exec.

notaccept3y ago

This is completey unacceptable - not wiping your hard dicks before going to a party, that too a third one? Stop the madness. Not cool at all.

j / k navigate · click thread line to collapse

37 comments

snarfy3y ago

> "Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”

$35 million fine for 15 million customer's PII. The 'clear message' is that a customer's PII is worth about $2. Meanwhile the customers are on the hook for fraud monitoring in perpetuity.

routerl3y ago

"Punishable by fine" means "legal if you can afford it".

Until living, breathing, actual people face real consequences for this kind of thing, any enforcement actions are just theater.

cyanydeez3y ago

For corporations it means, "make sure there's a line item for the fines"

At least humans are mostly controlled by ethics and morals.

Corporations, not so much.

cyanydeez3y ago

2$ for enforcement.

Isn't like annually worth like $10.

smabie3y ago

Could you sell each customers PII for more than $2 on darkweb? I kinda doubt it, seems like fair fine to me.

psd13y ago

lolwut.

If I cut open your £180k Aston Martin with an angle grinder to steal a pair of sunglasses that I sell in a pub for £10, should my fine be £11?

ShowalkKama3y ago

depends on what data we are talking about but yea, it can easily go for 5-10$ (highly depends on the information we are talking about) especially for financial data

duxup3y ago

I used to visit the data centers of some very large financial institutions.

It was a pretty common rule across those banks and etc at that time, and that was quite a while ago.

LinuxBender3y ago

hangonhn3y ago

Same. When I used to work at a hedge the standard procedure was to zero them out first. Then retain the hard drives in a closet. Then someone could come periodically to physically destroy them.

toomuchtodo3y ago

1 more reply

cm21873y ago

At the same time I heard several stories of people copying the files onto their desktop hard drives and leaving the building with them when lehman went bust.

duxup3y ago

I didn't see any indication that the hard drives from the data center policy had anything to do with drone's laptops coming and going.

I'd visit and go up to the doors and passers by would stop to watch "he's going inside..."

Whatever a random drone was doing with their laptop, that's a whole other issue / policy.

2 more replies

baobabKoodaa3y ago

The real mistake in this trainwreck was that Morgan Stanley didn't encrypt their hard drives.

Sebb7673y ago

Fully agreed. People like to complain about disk encryption just being a security theater checkbox in a cloud or datacenter environment, but this is exactly why it is needed.

nikau3y ago

Worth nothing that Morgan Stanley essentially acquired Smith Barney a few years before this issue, so likely procedures were not synced up or ignored due to the integration work going on.

kube-system3y ago

Many devices that a business might throw away in 2015 may not have been devices that supported full disk encryption out of the box.

Li7h3y ago

kadoban3y ago

I've been using fde since like 2005 or so and I'm not even a bank. Seems like they don't have much excuse?

2 more replies

billybuckwheat3y ago

>MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers

Guess the smartest people in the room weren't in the IT department ... Wonder if they chose that moving and storage company because they were a cheaper option.

rizza3y ago

advisedwang3y ago

I wonder if the "moving and storage company with no experience or expertise in data destruction" was owned by a relative or friend of a Morgan Stanley exec.

notaccept3y ago

This is completey unacceptable - not wiping your hard dicks before going to a party, that too a third one? Stop the madness. Not cool at all.

j / k navigate · click thread line to collapse