Morgan Stanley Hard Drives With Client Data Turn Up On Auction Site (nytimes.com) 70
An anonymous reader quotes a report from the New York Times: Morgan Stanley Smith Barney has agreed to pay a $35 million fine to settle claims that it failed to protect the personal information of about 15 million customers, the Securities and Exchange Commission said on Tuesday. In a statement announcing the settlement, the S.E.C. described what it called Morgan Stanley's "extensive failures," over a five-year period beginning in 2015, to safeguard customer information, in part by not properly disposing of hard drives and servers that ended up for sale on an internet auction site.
On several occasions, the commission said, Morgan Stanley hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the personal information of millions of its customers. The moving company then sold thousands of the devices to a third party, and the devices were then resold on an unnamed internet auction site, the commission said. An information technology consultant in Oklahoma who bought some of the hard drives on the internet chastised Morgan Stanley after he found that he could still access the firm's data on those devices.
Morgan Stanley is "a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware," the consultant wrote in an email to Morgan Stanley in October 2017, according to the S.E.C. The firm should, at a minimum, get "some kind of verification of data destruction from the vendors you sell equipment to," the consultant wrote, according to the S.E.C. Morgan Stanley eventually bought the hard drives back from the consultant. Morgan Stanley also recovered some of the other devices that it had improperly discarded, but has not recovered the "vast majority" of them, the commission said. The settlement also notes that Morgan Stanley "had not properly disposed of consumer report information when it decommissioned servers from local offices and branches as part of a 'hardware refresh program' in 2019," reports the Times. "Morgan Stanley later learned that the devices had been equipped with encryption capability, but that it had failed to activate the encryption software for years, the commission said."
On several occasions, the commission said, Morgan Stanley hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the personal information of millions of its customers. The moving company then sold thousands of the devices to a third party, and the devices were then resold on an unnamed internet auction site, the commission said. An information technology consultant in Oklahoma who bought some of the hard drives on the internet chastised Morgan Stanley after he found that he could still access the firm's data on those devices.
Morgan Stanley is "a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware," the consultant wrote in an email to Morgan Stanley in October 2017, according to the S.E.C. The firm should, at a minimum, get "some kind of verification of data destruction from the vendors you sell equipment to," the consultant wrote, according to the S.E.C. Morgan Stanley eventually bought the hard drives back from the consultant. Morgan Stanley also recovered some of the other devices that it had improperly discarded, but has not recovered the "vast majority" of them, the commission said. The settlement also notes that Morgan Stanley "had not properly disposed of consumer report information when it decommissioned servers from local offices and branches as part of a 'hardware refresh program' in 2019," reports the Times. "Morgan Stanley later learned that the devices had been equipped with encryption capability, but that it had failed to activate the encryption software for years, the commission said."
Re: (Score:3, Insightful)
That is some appalling incompetence.
My daughter uses encrypted partitions even for her cat videos. A $150B corporation should be able to do the same.
we outsourced most of IT to sub contractors (Score:2)
we outsourced most of IT to sub contractors
Re: (Score:3)
The company I work for uses encrypted partitions and a $29 sledgehammer.
The combination is very effective.
Re: (Score:2)
Its wasteful.
Using obsolete HDDs is even more wasteful.
Newer HDDs use less power and hold far more data.
If they could still be used cost-effectively, we wouldn't be discarding them.
Re: (Score:3)
You're a smug arrogant know-it-all.
Perhaps. But that doesn't make me wrong.
Have you calculated the energy and pollution that goes into making new hard drives, and factored that into your equation?
Have you factored the $35M fine into your equation?
I'll bet Morgan Stanley wishes they had used my trusty ol' sledgehammer.
Re: (Score:2)
More of a drill press guy myself. metal shavings do wonders for data destruction. Thinking about upgrading to a wood chipper. /s
Re: (Score:1)
Re: (Score:2)
Many companies discard old HDDs after a set number of years, regardless of their condition. Ideally they base the replacement time on when the number of failures starts to rise rapidly.
Those drives could be used elsewhere, although they are more likely to fail. It's just that nobody really wants to take on the cost of using them, i.e. the employee downtime when their computer becomes unstable, and the IT resources to keep a load of spare machines on hand to swap out. Just replace all the machines, get the l
Re: (Score:2)
"Newer HDDs use less power and hold far more data."
Nobody wants shingled magnetic recording.
To get the same hard drive as a few years ago, you have to pay more. They didn't lower the price of shingled drives, they raised it for normal magnetic recording. This isn't advancement, its introducing an inferior product then pushing the other products to a more expensive tier.
There's a market for old drives because half (or more) of the new drives are crap. People wouldn't chance their data to old hard drives if t
Re: (Score:2)
The company I work for has a deal with a local steel mill (actually, the company that deals with destroying the drives for us does). Those things literally get melted down.
Re: (Score:2)
Re: (Score:2)
A drill press works pretty well, too.
Sure, but a drill press is harder to use for self defense when your data center is invaded by multinational terrorists who are dead set on taking the drivers license numbers of your clients... or so I've heard...
Re: (Score:2)
Since we bought a laser cutter, that's what we use at EOL for a drive. It's great fun to watch them go through, though maybe not as satisfying as a sledgehammer.
Re: (Score:2)
And most of them not speak English good.
Re: (Score:2)
My daughter uses encrypted partitions even for her cat videos. A $150B corporation should be able to do the same.
Jogor say Jogor use sledge hammer for old drive .. Morgan got no hammer .. har har..
Re: (Score:2)
That is some appalling incompetence. ... My daughter uses encrypted partitions even for her cat videos. A $150B corporation should be able to do the same.
Not only that, while it may take a few hours (or overnight) it's not complicated to DOD (or otherwise securely) wipe drives. And it's not like Morgan Stanley didn't know their systems were being decommissioned; someone could have easily kicked off a wipe the night before as the last thing done on the systems.
Re: (Score:2)
You generally don't encrypt disks on servers because it incurs a performance hit and necessitates manual intervention (ie to enter the key) if the server is rebooted. Or if you store the key on the server and let it boot unattended the encryption becomes pointless anyway since whoever ends up in possession of it now has the keys too.
This was a failure in process, servers should not have been removed from the data centre without having their disks wiped or physically destroyed. A large corporation will usual
Re: Boomers (Score:2)
Well, if you have AND enable hardware disk encryption the performance penalty is minimal (if you can even notice it during normal daily use - im not even sure were not talking about client disks instead of server disks, and client disks are so fast today compared to what people need or can use, it's basically impossible to detect any impact from hardware encryption).
And if you then reduce the disk from the server or client that holds the key, it's effectively wiped until someone can recover the key through
Re: (Score:2)
You make it sound easy, but it really isn't. Something that size requires automated systems to manage everything and I have heard of some companies having to replace servers because they tried to enable disk encryption only to find out the hardware didn't properly support it.
Re: (Score:2)
For servers, it can be different. And in that case, if the disks aren't encrypted only in certain cases it's easy to overlook when you throw them away that they're in clear text. But still, that should have been handled when they realized they couldn't encrypt them. Paint them red, follow procedures, or if you are unsure they will be followed, replace the disks. It's usually a lot cheaper to prevent loss of reputation than having to deal with the fallout.
Re: (Score:3)
Yeah, that's the weird part. I've seen Morgan Stanley's asset disposal policies and someone would have had to violate them pretty badly and somehow keep even middle management out of the loop. Anything with the capability of holding that much personal data should have had the disks removed and shredded.
Re: (Score:2)
Having a policy vs. it's functional implementation are two very different things. Laziness, incompetence, greed, and even altruism all get in the way. With a 75,000 person company there's a lot of room for one of them to come into play.
XYZ department of quants or devs ponys up for an early refresh. Pointy-haired boss wants to make nice with a charity to get accolades in his local town meetings. Donates those computers on his own authority. IT folks assume they got wiped, since that's policy and they're
Re: (Score:2)
I tried asking some folks who work there, but no one will tell me exactly what happened. I suspect the past policy (this indecent was 7 years ago) allowed for third party vendors to certify they wiped the data. I do know that's not the case now.
You keep saying "bitlocker" as if any user PC would ever have that much user data. Everything you described applies to mid sized companies but not large ones.
At any rate, some things get easier as companies get larger since you now have departments for things since
Re: (Score:2)
it incurs a performance hit and necessitates manual intervention (ie to enter the key) if the server is rebooted. Or if you store the key on the server and let it boot unattended the encryption becomes pointless anyway since whoever ends up in possession of it now has the keys too.
Or you store the encryption keys on a separate volume and make sure you wipe that, the disks are worthless without the keys anyway.
Re: (Score:2)
Or you store the encryption keys on a separate volume and make sure you wipe that, the disks are worthless without the keys anyway.
It's called TPM. There's even an trivial PowerShell command to wipe it.
Doing so meets NIST standards too. But they have to be encrypted in the first place :)
Re: (Score:2)
That is the weird part to me. I have seen Morgan Stanley's asset disposal policies and this would have been a huge violation.
Re: (Score:3)
Re: (Score:2)
If the machine is stolen you have multiple avenues for attack, because you're no longer relying on the strength of the encryption but now on the obfuscation of the TPM chip and the strength of the installed OS.
Since you're now in physical possession of the server you can simply leave it turned off until a new vulnerability is published for the installed OS or application software running on it, then you can power it up and exploit it.
A flaw in the TPM chip could expose the key, as could other attacks agains
Re: (Score:2)
As has already been pointed out, if you store the key separately, you would have to enter it at every boot. That would increase security if the machines are physically stolen. However, it also adds attack surface. If somebody can get the backup
Re: (Score:2)
TPM + PIN defeats the majority of potential exploits - you're left sniffing bus/ram or using an unpublished TPM exploit (which would be a pretty major bug bounty). While technically not impossible, it's not really a viable attack vector against a properly secured system.
Yes, of course, a cryptographic erase is more secure than relying on the encryption, but you're pushing into edge case territory ... meanwhile these drives weren't encrypted at all.
Re:Boomers (Score:4, Informative)
And of course someone has to come along and make it creepy.
Welcome to Slashdot.
Re: (Score:1)
Only the guilty have something to hide. Now, what are those Cats REALLY doing?
Re: (Score:1)
Plotting. They spend most of their time plotting and planning.
Re: (Score:2)
Doing it to 1 hard drive is easy. Doing it across all servers of a company the size of Morgan Stanley without risking data loss or creating a Maintenance nightmare is hard.
Re: (Score:2)
I'm thinking the unnamed in the article is "GoHardrive"
They are notorious for selling used hard drives as new on Ebay and Amazon. They have some process for wiping drives. The drives I received from them appeared to contain no data. Perhaps the file allocation table was just marked as not used (versus writing 0's or random data to the drive or something like Bleachbit). But looking at the SMART data showed 5000 hours and hundreds of start stop cycles. Previous drives I received from them, the SMART data was
Re: (Score:2)
While I agree that the disposal company should have properly wiped the drives, wiping the drive table (or similar) definitely would not meet their data destruction requirements (see NIST 800-88) as a financial institution.
Ultimately it's the responsibility of MS to have the drives/data destroyed. Had they gotten certification from the scrap company and it was falsified without them knowing, they probably wouldn't have been fined.
Re: (Score:2)
There is no such thing as a "military grade" data wipe on modern hard drives. Writing zeros over the drive is basically sufficient. It will miss what is on reallocated sectors but getting at those is tough in the first place and are highly likely to be garbled anyway. They are reallocated for a reason.
You can do a drive-initiated secure erase on SATA/IDE drives that will encompass those if you are really worried. SAS drives are a little more complicated, though Morgan Stanley should be using SES SAS drives
Re: (Score:2)
You contract with a data destruction service like Iron Mountain who enters into a contract with you to certify that all data is destroyed before any hardware leaves their jurisdiction.
If data isn't destroyed, it's on them.
Re: (Score:1)
That is some appalling incompetence....A $150B corporation should be able to do the same.
$35M for a multi-billion dollar company? That's practically a bonus. If the S.E.C. was any more sissified they would have washed the CEO's car.
Probably not Boomers (Score:3)
Re: (Score:3)
is there anything else to add?
How about, "Please retire."
Wow dude. You went straight to ageism. Nice work.
There are plenty incompetent people within every generation. I encourage you to never forget that.
Re: (Score:2)
Maybe the GP supports a Basic Income and disagrees with you that only elderly people should retire.
WTAF (Score:1)
But 15 MILLION customers get their data exposed though negligence and they cop a $35 million fine.
How do they think a persons privacy is worth just over $1 ?
They should pay $1 Million per person in compensation and THEN pay the government the $35 Million in fines.
Utterly failed at the most basic level of security (Score:5, Insightful)
With penalties like that, there is no incentive to even hire a cybersecurity team, or even invest in padlocks! You know, it would likely just be a net profit for Morgan Stanley just to auction their own disks and then pay this measly fine each time, and as it stands, I wouldn't rule out collusion, or at the very least, wilful negligence in this case as it stands.
Significant, statutory, damages (Score:2)
This stuff won't stop until companies are actually hurt by leaking data. When data is a potential liability, they'll be more careful with it.
I propose $100 per person/account compromised.
Appeals accepted only on the number of compromises, not the damage per compromise.
No class action lawsuits, no law firm rake off, no massive legal system delays.
In this case, that would have been $1.5 billion - enough to get the attention of even Morgan Stanley.
Re: (Score:2)
...I wouldn't rule out collusion...
The technical term is "return on campaign contribution."
Re: (Score:2)
Re: (Score:2)
It's about $0.02 per share vs quarterly dividend of ~$0.77 ... or less than 1% of the yearly.
It's not money they'll really care about, though the reputational hit will matter as will the added diligence they'll have to do for a while.
Another useless wrist-slap for a company who REALLY should know better.
unnamed internet auction site (Score:4, Funny)
the devices were then resold on an unnamed internet auction site
Imagine how much more popular that site would be if they could decide on a name for it!
Re: (Score:2)
You don't do that with clandestine operations.
That's something that puzzles me to no end, anyway. Why do all those secret societies have a name? The last thing I'd want to give my secret society is a name. What for? Everyone in it knows it anyway, and everyone outside of it shouldn't be able to talk about it, so why have an effin' NAME?
Re: (Score:2)
You don't do that with clandestine operations.
That's something that puzzles me to no end, anyway. Why do all those secret societies have a name? The last thing I'd want to give my secret society is a name. What for? Everyone in it knows it anyway, and everyone outside of it shouldn't be able to talk about it, so why have an effin' NAME?
1. How do you recruit for a nameless org?
2. How does one seek out membership in a nameless org?
Re: (Score:2)
1. By talking to people and asking them if they want to join a group of people who have a common goal with them.
2. You don't call us. We call you.
dell / hp will do RMA and let you destroy the disk (Score:3)
dell / hp will do RMA and let you destroy the disk as well. But will Apple do the same?
Why's it so hard? (Score:2)
They didn't try to resell the used drives, partly for security reasons, but largely because by the time they were decommissioned, they were so outdated that they'd only be worth about $10/pallet.
Re: (Score:2)
It is not hard. It just requires some minimal management attention to doing it properly. Obviously at Morgan Stanley nobody cares. That is why this is gross negligence and the ones responsible (including the CEO) should go to prison for this or at the very least get a suspended prison term.
Obviously gross negligence (Score:2)
1. Not encrypted
2. Not properly disposed of
Somebody (definitely the CEO, but maybe others) should go to prison for this. A small fine will do exactly nothing.
More proof that... (Score:2)
Re: (Score:2)
Contractors Mostly at Morgan Stanley (Score:2)
I did a short stint for Morgan Stanley as a Contractor/Consultant for an email migration to Microsoft Exchange and Outlook including Palm Pilot synchronization more than a decade-and-a-half ago or two at the NYC Times Square location. Easy gig for me and got to work in that nice new location until I started hating it due to the crowds of tourists that would make walking around a pain in the arse during lunch or when trying to go home. Luckily it was an early start gig so I was coming to work at 6am and le
Re: (Score:2)
Given so many /. comments on this particular topic today, may I inquire as to whether or not you consider yourself to be a boomer?
My guess is you are, given your experience and attention to detail given your responsibility.
...and while I think to ask, can you share any insight on missing Secret Service text messages from January 5 and 6, 2021?