Jail time
I don't normally agree with the calls for jail time for the C-suites, but with a history of repeated violations and a clear disregard for the law and their customers privacy, it would be entirely appropriate in this case.
Morgan Stanley Smith Barney has agreed to pay a paltry $35 million penalty after customers' sensitive records were left unencrypted on unwiped hard drives that were auctioned off after decommissioning. The financial services giant will cough up the cash to settle SEC charges that, during several datacenter server …
Then you are an enabler. They want the big bucks but are afraid to play for keeps? It's exactly wishy washy types like you that are keeping them running wild like this. It's probably because you don't want to close the door on your own personal chance to be human garbage. Rather than jail time, it should be the death penalty. Careless exec decisions have all to frequently resulted in gross harm and death, but rarely does it ever result in jail time for those who are being paid as though they are responsible for what's going on. Certainly they claim responsibility when things go well.
Any farmer faces 10-100x the risk of these C suite turds every day.
But you can't hold a whole bank responsible for the behavior of a few, sick twisted individuals. For if you do, then shouldn't we blame the whole bank system? And if the whole bank system is guilty, then isn't this an indictment of our financial institutions in general? I put it to you, Anonymous Coward - isn't this an indictment of our entire American society? Well, you can do whatever you want to us, but we're not going to sit here and listen to you badmouth the United States of America. Gentlemen!
...you can't hold a whole bank responsible for the behavior of a few...
The current system does just that. Instead of the guilty parties paying the penalty any fine comes from the operating budget which just means either a smaller dividend or the general staff get a smaller pay raise or the cost to customers increases.
What never happens is the people responsible have to pay anything, much the opposite in fact - I'll guarantee the board will get their annual bonuses and multi-million pension contributions as usual.
Until board members are personally penalised for corporate malfeasance nothing will ever change.
Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected
I no longer have that expectation. I *should*, but I don't.
I expect alll my data that sits stored at large corps (or worse, in 'The Cloud'), to be meticulously scrutinised and gone through with a fine comb by several TLAs.
Oh, but it IS protected, I assure you -- it's just that some organisations have better protections than others. Banks, in my professional experience, are less astoundingly awful than other financial services organisations. And some pretty tiny FS organisations have outstanding security. ( Don't get me started on non-gigantic hedge funds, though: I continue to wait for the day when financially-motivated attackers stumble across thst sector...)
I watched a couple of videos on YouTube where someone used a 50 cal https://www.youtube.com/watch?v=7sATeFlLk-Y and someone else a .458 SOCOM https://www.youtube.com/watch?v=4rCNqrdcX_A to destroy a few hard drives.
I recently took a hard drive to a recycler in the area. they had a very nice little machine that was actually a hard disk shredder. And that exactly what it did. Noisy...but effective. And the folks let me see the results -- ain't nobody going to be able to extract anything from that machine's output.
I once bought a used IBM XT from a now-fallen-from-its-former-glory electronic test and measurement equipment maker's surplus store. I found data on the drive. It wasn't personal data, it was test-results data. You'd expect/hope a tech company's nerds to know better ...
Last year I bought a fairly new Dell PC on Ebay. It apparently came from a large law firm, because it had a DVD in the drive that contained 3+GB of their client case files. I just shredded the DVD.
They removed the hard drive to prevent the disclosure of data, but no one checked the DVD drive!
I have e-wasted countless personal machines over the years. Every single one of them stripped of their storage.
Out with buddies a few months back, doing some target practice. Instead of buying targets, I set up the hard drives on a rail and we went at it. Nothing but smashed bits to clean up when we were done.
A frugal IT shop could do the same under the banner of a 'team building exercise'. A lot cheaper than paying a 3rd party, and staff lets out a little bit of Office Space "PC Load Letter" frustration.
When I recycled old education service PCs I used to remove the HDDs. Because they'd contained sensitive information. Yes I'd reformatted then and overwritten them a couple of times - and so it's improbable that anyone would have tried hard enough to be able to get the data off them, but still....
And then I damaged them as much as I could- breaking anything breakable with the tools to hand and leaving them in a puddle of water for a week or two at least, before taking them to the metal recycling skip ( not the computer and electronics skip).
But, 1) The Powers That Be did not have any kind of protocol for disposal of old HDDs and 2) the recycling centre asked the higher ups why they kept getting PCs didn't have HDDs in them ( apparently I wasn't the only education manager taking precautions unilaterally).
Naw, the recycling center was probably wanting to resell the machines, and having to buy new hard drives for old machines cuts into (or neutralizes entirely) their profit margin.
Depending on what's on the drive, If I need to sanitize it, I'll run DBAN on it with a couple passes from the randomizer with a final blanking pass. If it's something super sensitive, then I'll go the physical destruction route.
Well yes. This was a municipal (but contracted out) centre. Tech placed in that container would be reused where possible and recycled or used for parts if not. But our HDDs were pretty much only used for sensitive data, reports on or about kids' needs and backgrounds, with identification. And no chance is too small in those circumstances. As close to total destruction as I could manage.And then placed into metal recycling along with the old cans,cookers and car parts.
I'd be all for that! However, you still have to inspect the drives for significant physical damage.
A friend and I had been plinking, and he had, at a range of 50 feet, shot at the side of an empty wire spool, said spool being made of sheet metal. The standard 0.45 calibre ball ammo from his M1911 pistol slightly-dented the side of the spool, but didn't penetrate it. (I'd expect more-effective results from a hunting rifle.)
I used to have a hard drive I displayed at my desk with two .308 holes in it. Actually made nice clean holes too. The boss made me take it home when some overly sensitive type made a comment about it representing violence or something like that.
You are right about the levels of destruction. However, I will submit that any size round is sufficient to take the drive out of service. While a forensic lab may be able to retrieve the data from a damaged (rather than destroyed) hard drive, that is a lot more effort then plugging in a used drive and hoping to find stuff. Anyone who is the custodian of data that valuable has a formal physical destruction process in place.