Incorrectly disposing of hard drives may cost companies millions in fines

It’s worth thinking about physical data breaches as well as falling foul of a hack.

In the race to protect ourselves from the ever-present risk of hacking, companies and information security experts tend to focus on the intangible elements. We look out for phishing attacks and the risk that our data will be secreted away from servers by hackers.

What we often don’t think about is the safety and security of the hardware on which that data is kept. We’re so used to hackers sneaking in through digital back doors that we overlook the importance of properly disposing of and destroying the physical infrastructure on which that data is held. But it’s often a treasure trove of information that hackers would love to get their hands on.

Proper disposal of such data-holding devices is crucial, and it’s something that can be punished if not done correctly – as Morgan Stanley Smith Barney (MSSB), now known as Morgan Stanley Wealth Management, learned in September. It has been compelled to pay $35 million to the US Securities and Exchange Commission (SEC) to settle claims that it had failed to correctly dispose of hard drives and servers that held customers’ personal data between 2015 and 2020.

What went wrong

Morgan Stanley
Image by TK Kurikawa / Shutterstock

On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the personal identifying information of millions of its customers, according to the SEC. Because the bank did not properly oversee the disposal of the devices and hardware by the company, the organization that was given them was able to then sell them on.

The moving company sold thousands of devices that had been owned by the bank – including servers and hard drives – to a third party. Some of those devices contained customer details and were eventually resold on an internet auction site without the data being removed. When they were made aware of this, MSSB tried to recover some of the devices, which contained thousands of pieces of unencrypted customer data but was not able to recover the vast majority of the devices.

“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” says Gurbir S. Grewal, Director of the SEC’s Enforcement Division. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”

The risks involved

For its part, Morgan Stanley settled and did not admit or deny the SEC’s findings about its data handling and oversight of third parties. However, a spokesperson has said that the company is “pleased to be resolving this matter.” “We have previously notified applicable clients regarding these matters, which occurred several years ago and have not detected any unauthorized access to, or misuse of, personal client information,” they added.

But the situation highlights the challenges of not properly disposing of computer hardware and the way in which data can be recovered easily from hardware. It’s, therefore, vitally important to dispose of and destroy any devices before getting rid of them, including physically destroying the items. It’s also vital to wipe any data from devices using the software too so that data cannot be recovered from them. And for active devices, using encryption software is key.

Companies wanting to avoid the same mistakes may also want to learn from another of the SEC’s findings against MSSB: a records reconciliation exercise undertaken by the bank revealed that 42 servers, all potentially containing unencrypted customer information and consumer report information, were missing. Making sure you know where your devices are at all times is crucial.