Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Data Storage The Almighty Buck

Morgan Stanley Hard Drives With Client Data Turn Up On Auction Site (nytimes.com) 70

An anonymous reader quotes a report from the New York Times: Morgan Stanley Smith Barney has agreed to pay a $35 million fine to settle claims that it failed to protect the personal information of about 15 million customers, the Securities and Exchange Commission said on Tuesday. In a statement announcing the settlement, the S.E.C. described what it called Morgan Stanley's "extensive failures," over a five-year period beginning in 2015, to safeguard customer information, in part by not properly disposing of hard drives and servers that ended up for sale on an internet auction site.

On several occasions, the commission said, Morgan Stanley hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the personal information of millions of its customers. The moving company then sold thousands of the devices to a third party, and the devices were then resold on an unnamed internet auction site, the commission said. An information technology consultant in Oklahoma who bought some of the hard drives on the internet chastised Morgan Stanley after he found that he could still access the firm's data on those devices.

Morgan Stanley is "a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware," the consultant wrote in an email to Morgan Stanley in October 2017, according to the S.E.C. The firm should, at a minimum, get "some kind of verification of data destruction from the vendors you sell equipment to," the consultant wrote, according to the S.E.C. Morgan Stanley eventually bought the hard drives back from the consultant. Morgan Stanley also recovered some of the other devices that it had improperly discarded, but has not recovered the "vast majority" of them, the commission said.
The settlement also notes that Morgan Stanley "had not properly disposed of consumer report information when it decommissioned servers from local offices and branches as part of a 'hardware refresh program' in 2019," reports the Times. "Morgan Stanley later learned that the devices had been equipped with encryption capability, but that it had failed to activate the encryption software for years, the commission said."
This discussion has been archived. No new comments can be posted.

Morgan Stanley Hard Drives With Client Data Turn Up On Auction Site

Comments Filter:
  • Charter must pay 1.4 Billion because a technician murdered an 83 year old woman.
    But 15 MILLION customers get their data exposed though negligence and they cop a $35 million fine.

    How do they think a persons privacy is worth just over $1 ?
    They should pay $1 Million per person in compensation and THEN pay the government the $35 Million in fines.
  • by The_Revelation ( 688580 ) on Wednesday September 21, 2022 @01:14AM (#62900355) Homepage
    And yet all they have to pay is $2.30 in damages per impacted individual. What a complete failure of the legal system! A fine of $2.30 per user that you literally lost the physical device that contained the data!

    With penalties like that, there is no incentive to even hire a cybersecurity team, or even invest in padlocks! You know, it would likely just be a net profit for Morgan Stanley just to auction their own disks and then pay this measly fine each time, and as it stands, I wouldn't rule out collusion, or at the very least, wilful negligence in this case as it stands.
    • This stuff won't stop until companies are actually hurt by leaking data. When data is a potential liability, they'll be more careful with it.

      I propose $100 per person/account compromised.
      Appeals accepted only on the number of compromises, not the damage per compromise.
      No class action lawsuits, no law firm rake off, no massive legal system delays.

      In this case, that would have been $1.5 billion - enough to get the attention of even Morgan Stanley.

    • by GlennC ( 96879 )

      ...I wouldn't rule out collusion...

      The technical term is "return on campaign contribution."

    • by tlhIngan ( 30335 )

      And yet all they have to pay is $2.30 in damages per impacted individual. What a complete failure of the legal system! A fine of $2.30 per user that you literally lost the physical device that contained the data!

      With penalties like that, there is no incentive to even hire a cybersecurity team, or even invest in padlocks! You know, it would likely just be a net profit for Morgan Stanley just to auction their own disks and then pay this measly fine each time, and as it stands, I wouldn't rule out collusion, o

  • by Ecuador ( 740021 ) on Wednesday September 21, 2022 @04:51AM (#62900617) Homepage

    the devices were then resold on an unnamed internet auction site

    Imagine how much more popular that site would be if they could decide on a name for it!

    • You don't do that with clandestine operations.

      That's something that puzzles me to no end, anyway. Why do all those secret societies have a name? The last thing I'd want to give my secret society is a name. What for? Everyone in it knows it anyway, and everyone outside of it shouldn't be able to talk about it, so why have an effin' NAME?

      • You don't do that with clandestine operations.

        That's something that puzzles me to no end, anyway. Why do all those secret societies have a name? The last thing I'd want to give my secret society is a name. What for? Everyone in it knows it anyway, and everyone outside of it shouldn't be able to talk about it, so why have an effin' NAME?

        1. How do you recruit for a nameless org?
        2. How does one seek out membership in a nameless org?

        • 1. By talking to people and asking them if they want to join a group of people who have a common goal with them.

          2. You don't call us. We call you.

  • Earlier in my career, before whole-disk encryption was widespread, I worked for a large hospital organization. Their decommissioning policy was to wipe the drive (using a boot-and-nuke [dban.org]-like tool), then to take it to a drill press and actually put holes through the platters.

    They didn't try to resell the used drives, partly for security reasons, but largely because by the time they were decommissioned, they were so outdated that they'd only be worth about $10/pallet.
    • by gweihir ( 88907 )

      It is not hard. It just requires some minimal management attention to doing it properly. Obviously at Morgan Stanley nobody cares. That is why this is gross negligence and the ones responsible (including the CEO) should go to prison for this or at the very least get a suspended prison term.

  • 1. Not encrypted
    2. Not properly disposed of

    Somebody (definitely the CEO, but maybe others) should go to prison for this. A small fine will do exactly nothing.

  • ...people running corporations are every bit as fucking stupid as people running government.
  • I did a short stint for Morgan Stanley as a Contractor/Consultant for an email migration to Microsoft Exchange and Outlook including Palm Pilot synchronization more than a decade-and-a-half ago or two at the NYC Times Square location. Easy gig for me and got to work in that nice new location until I started hating it due to the crowds of tourists that would make walking around a pain in the arse during lunch or when trying to go home. Luckily it was an early start gig so I was coming to work at 6am and le

    • Given so many /. comments on this particular topic today, may I inquire as to whether or not you consider yourself to be a boomer?
       
      My guess is you are, given your experience and attention to detail given your responsibility.
       
      ...and while I think to ask, can you share any insight on missing Secret Service text messages from January 5 and 6, 2021?

No spitting on the Bus! Thank you, The Mgt.

Working...