Morgan Stanley didn't wipe their hard drives before giving them to a third party

&gt; &quot;Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”<p>$35 million fine for 15 million customer&#x27;s PII. The &#x27;clear message&#x27; is that a customer&#x27;s PII is worth about $2. Meanwhile the customers are on the hook for fraud monitoring in perpetuity.

I used to visit the data centers of some very large financial institutions.<p>The SoP at those places was that hard drives from the data center NEVER left the building except through a device that destroyed them…. Their security guards were really into checking for them and etc.<p>It was a pretty common rule across those banks and etc at that time, and that was quite a while ago.

The real mistake in this trainwreck was that Morgan Stanley didn&#x27;t encrypt their hard drives.

&gt;MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers<p>Guess the smartest people in the room weren&#x27;t in the IT department ... Wonder if they chose that <i>moving and storage company</i> because they were a cheaper option.

<i>Opinions are my own</i> As someone who works for a large financial institution, THIS SHOULD NEVER HAVE HAPPENED! This could be deeply flawed security and controls processes, a culture of not my problem, their tech leadership being incompetent, or CFO driving CIO&#x2F;CTO decision making. Either way this is not the sign of a healthy company and the rot likely runs much deeper. You dont make this kind of mistake in this industry at a firm of that size.

I wonder if the &quot;moving and storage company with no experience or expertise in data destruction&quot; was owned by a relative or friend of a Morgan Stanley exec.

This is completey unacceptable - not wiping your hard dicks before going to a party, that too a third one? Stop the madness. Not cool at all.