The financial costs from Morgan Stanley’s ITAD project mismanagement have grown to over $163 million. New details on the data loss incidents have also recently come to light. (Part 2)
◾ More excellent, in-depth reporting on this case by Jared Paben, Associate Editor at Resource Recycling.
◾ Link to Part 1 in Comments
♦ On Oct. 25, 2017, an IT consultant in Oklahoma emailed MSSB to tell the bank he had purchased hard drives online and had access to MSSB’s data on those drives, according to the SEC.
◾ “You are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware,” the individual wrote in his email, or at the very least getting some kind of verification of data destruction from the vendors you sell equipment to.”
◾ MSSB eventually repurchased the drives from the consultant.
♦ Shortly thereafter, MSSB launched an investigation into the disposition of the data center devices, and learned that Triple Crown had also delivered 8,000 of MSSB’s backup tapes to AnythingIT.
♦ Finally, in July 2020, MSSB disclosed the data loss to about 15 million impacted customers, emphasizing that there was no evidence that customer information had been misused by criminals.
♦ MSSB managed to get some more of the missing drives back.
◾ In June 2021 MSSB obtained another 14 of the missing drives from an unnamed downstream purchaser, according to the SEC.
◾ “Based on forensic analysis of these hard drives, 13 of the devices contained a total of at least 140,000 pieces of customer PII (personal identifying information).”
◾ “The vast majority of the hard drives from the 2016 Data Center Decommissioning remain missing.”
♦ The SEC described issues with other MSSB ITAD projects in 2015, 2016 and 2017, although they don’t appear as serious as the data center project described above.
◾ In one instance in 2016, Triple Crown decommissioned an MSSB data center in New York City, but MSSB lacked records on exactly what devices were removed or what data they contained, and it doesn’t have certificates of destruction for any of them, according to the SEC.
♦ The troubles also extended to a project that MSSB itself managed.
◾ In 2019, MSSB removed 500 data-bearing devices from branch offices as part of an IT refresh project.
◾ A February 2020 inventory check by MSSB found that four wide-area application services (WAAS) devices had gone missing as part of the refresh, the SEC stated.
◾ In 2021, MSSB undertook an inventory of all historical branch devices and discovered an additional 38 WAAS devices from that IT refresh were missing, the SEC determined.
♦ The commission also noted that the devices had been equipped with encryption capabilities but Morgan Stanley staff failed to activate the encryption software until 2018.
◾ Because of a software flaw, pre-2018 data remained unencrypted on the missing devices.