> "Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”<p>$35 million fine for 15 million customer's PII. The 'clear message' is that a customer's PII is worth about $2. Meanwhile the customers are on the hook for fraud monitoring in perpetuity.
I used to visit the data centers of some very large financial institutions.<p>The SoP at those places was that hard drives from the data center NEVER left the building except through a device that destroyed them…. Their security guards were really into checking for them and etc.<p>It was a pretty common rule across those banks and etc at that time, and that was quite a while ago.
>MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers<p>Guess the smartest people in the room weren't in the IT department ... Wonder if they chose that <i>moving and storage company</i> because they were a cheaper option.
<i>Opinions are my own</i> As someone who works for a large financial institution, THIS SHOULD NEVER HAVE HAPPENED! This could be deeply flawed security and controls processes, a culture of not my problem, their tech leadership being incompetent, or CFO driving CIO/CTO decision making. Either way this is not the sign of a healthy company and the rot likely runs much deeper. You dont make this kind of mistake in this industry at a firm of that size.
I wonder if the "moving and storage company with no experience or expertise in data destruction" was owned by a relative or friend of a Morgan Stanley exec.