Morgan Stanley Breach Highlights Need for Media Sanitization

Written By

Namrata Sengupta

Updated on

March 17th, 2022

Consequences of Unsafe Data Disposal

The consequences associated with unsafe data disposal & media sanitization can be many. The most prominent ones are listed below:

Legal penalties: In the event of data compromise, organizations have to face severe financial penalties, lawsuits, & imprisonment. Firms usually have to pay a hefty fine in settling cases related to data breaches. Also, governments and regulatory agencies can impose additional penalties on the firm. For example, violation of EU-GDPR mandates can result in a penalty of up to €20 million or 4 percent of a company’s annual global revenue – whichever is greater.
Loss of trust and reputation: It takes years to build the customers’ trust, and a single incident like unsafe data disposal, can cause irreparable damage through loss of customers, brand equity, and goodwill. After the incident at Morgan Stanley came to light, many affected customers stated that they would now move their businesses elsewhere.
Misuse of business-critical information: A data breach can lead to the compromise & misuse of strategic information such as trade secrets, intellectual property, business intelligence, etc. leading to the loss of competitive edge and positioning of an organization.

Unsafe Disposition of Old IT Assets: Common Reasons

The following are the common reasons behind the unsafe disposal of data-bearing devices, leading to data leakage and breach:

Using an inappropriate method: It is essential to use the right method to sanitize the different types of storage media. For example, degaussing is a technique for sanitizing hard drives, but it cannot work on a solid-state drive. Likewise, shredding is a physical destruction method to destroy any storage hardware, but it can pose a risk of “in-transit” data leakage due to the need to transport the equipment to a shredding facility in case of logistics or financial constraints. Also, it is possible to extract data from an improperly shredded device (or a shredded part of the device).
Lack of due diligence: Sufficient due diligence in the process of choosing and liaising with the vendor during and after the data destruction process is much needed by organizations. In the Morgan Stanley episode, the major lapse appears to be on the part of the vendor hired for media sanitization, wherein the discarded devices were found to have data after four years. Also, there seems to be a gap in the audit process on both sides.
Insufficient documentation: Companies put themselves in danger of data breach if they do not demand verifiable documentation of media sanitization from the vendors. The calamity in the Morgan Stanley case might have been averted if the firm had been persistent in getting a certificate for all the erased hardware.

Data Erasure Software: Securely Erase Your Data

The most effective way to securely and permanently erase data from used hardware is to use a professional data erasure software such as BitRaser that works by overwriting the existing data once or multiple times by using advanced algorithms and global standards. This destroys the data, making it totally unreadable and, therefore, secure against breach or misuse.

Data erasure, aside from being an effective standalone media sanitization method, can also complement other methods such as shredding. For example, it can erase the inventoried devices, lined up for shredding, to nullify any risks of data leakage through possibilities of hardware theft or misappropriation.

Key capabilities of data wiping tool include:

Secure wiping: The tool should erase the storage drive as per various global data wiping standards such as NIST, DoD, etc. & destroy the existing information using secure overwriting patterns, ensuring a total safeguard against data extraction and misuse.
Verifiable reporting: The software should be able to generate a tamper-proof certificate and reports of erasure that serve as verifiable proof for audit trails.
Fail-safe regulatory compliance: Choose software that sanitizes the devices in compliance with global data protection laws and standards, such as GDPR, SOX, HIPAA, etc.

Key Takeaways

Data breach in used hardware is the ‘Elephant in the Room’ that businesses must address. The following bullets demonstrate the key takeaways, brought to light by the recent data breach incident at Morgan Stanley:

There are substantial risks associated with the careless disposal of IT assets. The threats come with both immediate and long-term consequences such as hefty fines, loss of reputation, etc.
These risks are carried forward indefinitely. An un-sanitized hard drive containing sensitive data belonging to a span that was 5 or 10 years ago is still a privacy concern. You need to take proper care of the device through every step in its lifespan, from acquisition to destruction.
It is better to report and investigate a data breach incident as soon as it is discovered. Further, the firm should take the appropriate measures to fix the loopholes, including identifying & implementing effective methods and policies to sanitize the hardware. It must also look for systematic provisions to generate and preserve documented proof of sanitization for the individual storage unit.

About The Author

Namrata Sengupta

51 posts

Namrata is a seasoned business leader with a strong background in strategic management, revenue growth, brand building, and nurturing partnerships. She has more than 25 years of experience serving leadership roles in IT / ITES , Telecom & Education industries. In her role as Vice President at Stellar, she has been actively talking about data privacy & erasure solutions through live technology events in the US, Europe & APAC.