Learn from Morgan Stanley’s Data Breach: Use a Certified and Experienced ITAD Company

Posted on

Oct 26th, 2022

Category

Blog

Share on

Have you tried to reduce costs when it’s time to get rid of old IT equipment? Morgan Stanley learned the hard way that if you don’t properly dispose of electronic devices,  it will be costly for your company. 

The global financial services firm Morgan Stanley trusted a standard moving company to dispose of end-of-life IT equipment. It has been reported that this company had no experience in IT asset disposition (ITAD). The unnamed moving company sold hard drives and other equipment online, exposing Morgan Stanley’s client’s data. 

Most of us assume that when purchasing a second-hand hard drive, it’s been fully wiped of all previous data. However, if this equipment gets to the wrong people, it can be detrimental to your organization. By selling these non-degaussed or shredded hard drives, Morgan Stanley left their clients vulnerable to data leaks. 

Morgan Stanley failed to destroy their customer data correctly, and that oversight has cost them millions of dollars. 

How does a hard drive that’s been wiped still have data? 

Morgan Stanley was exposed by an IT consultant who purchased some of the hard drives. He wrote to Morgan Stanley stating they could get “some kind of verification of data destruction.” As a financial institution, Morgan Stanley has stringent guidelines that they need to follow regarding data destruction. 

Although the information isn’t easily accessible on wiped drives, someone with experience can recover critical data. 

Finding “Hidden” Information

A Comparitech study found that 3 in 5 second-hand hard drives still contained data from the previous owner. 26% of the hard drives had been formatted, but it didn’t take much effort for the data to be recovered. 

An organization that does not use professional data destruction services may miss out on opportunities to fully destroy sensitive data. By degaussing and hard drive shredding, you can ensure that all data is physically destroyed. 

Preventing Data Leaks

When it comes time for your company to get rid of old hard drives, computers, and various IT equipment, you need to find an agency that complies with all laws and regulations that your business needs to follow regarding personal data. 

Physical destruction is often vital regarding compliance in terms of financial, health, and other strictly regulated organizations. 

Securis complies with the following rules and regulations:

  • NIST 800-88 standards
  • NISPOM 32 CRF Part 117 (which has replaced DoD 5220.22-M) data sanitization
  • HIPAA/HITECH
  • Sarbanes-Oxley Act
  • Gramm-Leach-Bliley Act
  • FACTA Disposal Rule
  • Bank Secrecy Act
  • Patriot Act of 2002
  • Identity Theft and Assumption Deterrence Act
  • US Safe Harbor Provisions
  • FDA Security Regulations
  • PCI Data Security Standard 
  • Various local, state, and federal regulations.

Failure to comply with regulations can lead to an embarrassing news story and cost your organization millions in settlement fees alone. Contact us to learn how we can help you stay compliant.