back to article Morgan Stanley fined $35m after hard drives sold with customer info still on them

Morgan Stanley Smith Barney has agreed to pay a paltry $35 million penalty after customers' sensitive records were left unencrypted on unwiped hard drives that were auctioned off after decommissioning. The financial services giant will cough up the cash to settle SEC charges that, during several datacenter server …

  1. druck Silver badge

    Jail time

    I don't normally agree with the calls for jail time for the C-suites, but with a history of repeated violations and a clear disregard for the law and their customers privacy, it would be entirely appropriate in this case.

    1. Anonymous Coward
      Anonymous Coward

      Re: Jail time

      Then you are an enabler. They want the big bucks but are afraid to play for keeps? It's exactly wishy washy types like you that are keeping them running wild like this. It's probably because you don't want to close the door on your own personal chance to be human garbage. Rather than jail time, it should be the death penalty. Careless exec decisions have all to frequently resulted in gross harm and death, but rarely does it ever result in jail time for those who are being paid as though they are responsible for what's going on. Certainly they claim responsibility when things go well.

      Any farmer faces 10-100x the risk of these C suite turds every day.

      1. Ian Johnston Silver badge

        Re: Jail time

        But you can't hold a whole bank responsible for the behavior of a few, sick twisted individuals. For if you do, then shouldn't we blame the whole bank system? And if the whole bank system is guilty, then isn't this an indictment of our financial institutions in general? I put it to you, Anonymous Coward - isn't this an indictment of our entire American society? Well, you can do whatever you want to us, but we're not going to sit here and listen to you badmouth the United States of America. Gentlemen!

        1. VoiceOfTruth

          Re: Jail time

          -> badmouth the United States of America

          A black man sells a tiny bag of pot. 10 years. A white family sells opiates which kills hundreds of thousands. Pay a fine.

          1. Terry 6 Silver badge

            Re: Jail time

            I think the comment was meant to be irony.

            1. Cuddles

              Re: Jail time

              Pretty sure it was meant to be a quote from Animal House.

        2. DJO Silver badge

          Re: Jail time

          ...you can't hold a whole bank responsible for the behavior of a few...

          The current system does just that. Instead of the guilty parties paying the penalty any fine comes from the operating budget which just means either a smaller dividend or the general staff get a smaller pay raise or the cost to customers increases.

          What never happens is the people responsible have to pay anything, much the opposite in fact - I'll guarantee the board will get their annual bonuses and multi-million pension contributions as usual.

          Until board members are personally penalised for corporate malfeasance nothing will ever change.

          1. Snapper

            Re: Jail time

            Wish we could do the same to Governments.

  2. Kabukiwookie

    Privacy?

    Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected

    I no longer have that expectation. I *should*, but I don't.

    I expect alll my data that sits stored at large corps (or worse, in 'The Cloud'), to be meticulously scrutinised and gone through with a fine comb by several TLAs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Privacy?

      Oh, but it IS protected, I assure you -- it's just that some organisations have better protections than others. Banks, in my professional experience, are less astoundingly awful than other financial services organisations. And some pretty tiny FS organisations have outstanding security. ( Don't get me started on non-gigantic hedge funds, though: I continue to wait for the day when financially-motivated attackers stumble across thst sector...)

  3. trevorde Silver badge

    Haven't they seen Mr Robot

    The only way to properly dispose of a hard drive is with an electric drill. And a hammer. And fire.

    1. A.P. Veening Silver badge

      Re: Haven't they seen Mr Robot

      The only way to properly dispose of a hard drive is with an electric drill. And a hammer. And fire.

      An ex-colleague got very nice results with a sniper riffle.

      1. G.Y.

        Re: Haven't they seen Mr Robot

        I took one to a stair, stomped on it, bent it 45 degrees; but I'm sure motivated professionals could still pick bits of the (now) non-rotating rust

      2. JimboSmith Silver badge

        Re: Haven't they seen Mr Robot

        I watched a couple of videos on YouTube where someone used a 50 cal https://www.youtube.com/watch?v=7sATeFlLk-Y and someone else a .458 SOCOM https://www.youtube.com/watch?v=4rCNqrdcX_A to destroy a few hard drives.

    2. Someone Else Silver badge

      Re: Haven't they seen Mr Robot

      I recently took a hard drive to a recycler in the area. they had a very nice little machine that was actually a hard disk shredder. And that exactly what it did. Noisy...but effective. And the folks let me see the results -- ain't nobody going to be able to extract anything from that machine's output.

    3. Tom Paine

      Re: Haven't they seen Mr Robot

      I once spent a relaxing afternoon verifying a few crates of old HDs were indeed going through a manually operated device rather like an inverted axle jack. Slow, but very thorough.

  4. An_Old_Dog Silver badge

    Unwiped Surplus PCs

    I once bought a used IBM XT from a now-fallen-from-its-former-glory electronic test and measurement equipment maker's surplus store. I found data on the drive. It wasn't personal data, it was test-results data. You'd expect/hope a tech company's nerds to know better ...

    1. usbac Silver badge

      Re: Unwiped Surplus PCs

      Last year I bought a fairly new Dell PC on Ebay. It apparently came from a large law firm, because it had a DVD in the drive that contained 3+GB of their client case files. I just shredded the DVD.

      They removed the hard drive to prevent the disclosure of data, but no one checked the DVD drive!

  5. Marty McFly Silver badge
    Thumb Up

    Data destruction is fun!

    I have e-wasted countless personal machines over the years. Every single one of them stripped of their storage.

    Out with buddies a few months back, doing some target practice. Instead of buying targets, I set up the hard drives on a rail and we went at it. Nothing but smashed bits to clean up when we were done.

    A frugal IT shop could do the same under the banner of a 'team building exercise'. A lot cheaper than paying a 3rd party, and staff lets out a little bit of Office Space "PC Load Letter" frustration.

    1. Terry 6 Silver badge

      Re: Data destruction is fun!

      When I recycled old education service PCs I used to remove the HDDs. Because they'd contained sensitive information. Yes I'd reformatted then and overwritten them a couple of times - and so it's improbable that anyone would have tried hard enough to be able to get the data off them, but still....

      And then I damaged them as much as I could- breaking anything breakable with the tools to hand and leaving them in a puddle of water for a week or two at least, before taking them to the metal recycling skip ( not the computer and electronics skip).

      But, 1) The Powers That Be did not have any kind of protocol for disposal of old HDDs and 2) the recycling centre asked the higher ups why they kept getting PCs didn't have HDDs in them ( apparently I wasn't the only education manager taking precautions unilaterally).

      1. Tom Paine

        Re: Data destruction is fun!

        Ahhh, so they were looking fof the HDs then. Interesting....

        1. J. Cook Silver badge

          Re: Data destruction is fun!

          Naw, the recycling center was probably wanting to resell the machines, and having to buy new hard drives for old machines cuts into (or neutralizes entirely) their profit margin.

          Depending on what's on the drive, If I need to sanitize it, I'll run DBAN on it with a couple passes from the randomizer with a final blanking pass. If it's something super sensitive, then I'll go the physical destruction route.

          1. Terry 6 Silver badge

            Re: Data destruction is fun!

            Well yes. This was a municipal (but contracted out) centre. Tech placed in that container would be reused where possible and recycled or used for parts if not. But our HDDs were pretty much only used for sensitive data, reports on or about kids' needs and backgrounds, with identification. And no chance is too small in those circumstances. As close to total destruction as I could manage.And then placed into metal recycling along with the old cans,cookers and car parts.

    2. An_Old_Dog Silver badge

      Re: Data destruction is fun!

      I'd be all for that! However, you still have to inspect the drives for significant physical damage.

      A friend and I had been plinking, and he had, at a range of 50 feet, shot at the side of an empty wire spool, said spool being made of sheet metal. The standard 0.45 calibre ball ammo from his M1911 pistol slightly-dented the side of the spool, but didn't penetrate it. (I'd expect more-effective results from a hunting rifle.)

      1. Marty McFly Silver badge
        Thumb Up

        Re: Data destruction is fun!

        I used to have a hard drive I displayed at my desk with two .308 holes in it. Actually made nice clean holes too. The boss made me take it home when some overly sensitive type made a comment about it representing violence or something like that.

        You are right about the levels of destruction. However, I will submit that any size round is sufficient to take the drive out of service. While a forensic lab may be able to retrieve the data from a damaged (rather than destroyed) hard drive, that is a lot more effort then plugging in a used drive and hoping to find stuff. Anyone who is the custodian of data that valuable has a formal physical destruction process in place.

  6. Screepy
    Pint

    Lol at sub-heading.. Bueller Bueller Bueller

    Fry Fry Fry

    Have one of these sub-editors -->

  7. Tom Paine

    (MS have been owned by JPMorgan since the 2008 crash, though AFAIK they're relatively independent organisations below the levels in thd JPM buildings where you need an oxygen mask to survive.)

  8. Snapper

    Printers

    Check any printer or photocopier that leaves your hands for an internal hard drive. They are rarely removed, so your confidential documents that you took to a local copy shop are probably still on there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like