The recent Morgan Stanley data breach brings data security & privacy need in the spotlight. It also reinforces the importance of secure and permanent erasure of data from the used devices before they are sent out for a secondary transaction.
The fact is that media sanitization is an essential yet overlooked aspect of ensuring total data security and privacy in the context of a data breach. Ineffective or incomplete cleansing of data stored in IT assets as they are sold, returned, donated, shredded, or discarded can cause data breaches, leading to disastrous consequences.
On July 10, 2020, Morgan Stanley informed some of its clients of a possible compromise of their data. It all started in 2016 when Morgan Stanley had closed down two of its data centers, and it commissioned an external vendor to destroy the data stored in all the devices used in the data centers. The vendor was supposed to wipe (erase) the data and dispose of the hardware to recyclers. The data wiping supposedly didn’t happen, and also, the firm didn’t requisite for valid documentation attesting the erasure action. In 2019, a recycler informed Morgan Stanley that some of the hardware still contained unencrypted data. It took Morgan Stanley a year to disclose the breach to the affected clients. A couple of lawsuits have followed, and now the reputed firm is staring at a tough legal course.
Consequences of Unsafe Data Disposal
The consequences associated with unsafe data disposal & media sanitization can be many. The most prominent ones are listed below:
- Legal penalties: In the event of data compromise, organizations have to face severe financial penalties, lawsuits, & imprisonment. Firms usually have to pay a hefty fine in settling the cases related to data breaches. Also, governments and regulatory agencies can impose additional penalties on the firm. For example, violation of EU-GDPR mandates can result in a penalty of up to €20 million or 4 percent of a company’s annual global revenue – whichever is greater.
- Loss of trust and reputation: It takes years to build the customers’ trust, and a single incident like unsafe data disposal, can cause irreparable damage through loss of customers, brand equity, and goodwill. After the incident at Morgan Stanley came to light, many affected customers stated that they will now move their businesses elsewhere.
- Misuse of business-critical information: A data breach can lead to the compromise & misuse of strategic information such as trade secrets, intellectual property, business intelligence, etc. leading to the loss of competitive edge and positioning of an organization.
Unsafe Disposition of Old IT Assets: Common Reasons
The following are the common reasons behind unsafe disposal of data bearing devices, leading to data leakage and breach:
- Using an inappropriate method: It is essential to use the right method to sanitize the different types of storage media. For example, degaussing is a technique for sanitizing hard drives, but it cannot work on a solid-state drive. Likewise, shredding is a physical destruction method to destroy any storage hardware, but it can pose a risk of “in-transit” data leakage due to the need to transport the equipment to a shredding facility in case of logistics or financial constraints. Also, it is possible to extract data from an improperly shredded device (or a shredded part of the device).
- Lack of due diligence: Sufficient due diligence in the process of choosing and liaising with the vendor during and after the data destruction process is much needed by organizations. In the Morgan Stanley episode, the major lapse appears to be on part of the vendor hired for media sanitization, wherein the discarded devices were found to have data after four years. Also, there seems to be a gap in the audit process on both sides.
- Insufficient documentation: Companies put themselves in danger of data breach if they do not demand verifiable documentation of media sanitization from the vendors. The calamity in the Morgan Stanley case might have been averted if the firm had been persistent in getting a certificate for all the erased hardware.
Data Erasure Software: Securely Erase Your Data
The most effective way to securely and permanently erase data from used hardware is to use a professional data erasure software such as BitRaser that works by overwriting the existing data once or multiple times by using advanced algorithms and global standards. This destroys the data, making it totally unreadable and, therefore, secure against breach or misuse.
Data erasure, aside from being an effective standalone media sanitization method, can also complement other methods such as shredding. For example, it can erase the inventoried devices, lined up for shredding, to nullify any risks of data leakage through possibilities of hardware theft or misappropriation.
Key capabilities of data wiping tool include:
- Secure wiping: The tool should erase the storage drive as per various global data wiping standards such as NIST, DoD, etc. & destroys the existing information using secure overwriting patterns, ensuring a total safeguard against data extraction and misuse.
- Verifiable reporting: The software should be able to generate a tamper-proof certificate and reports of erasure that serve as verifiable proof for audit trails.
- Fail-safe regulatory compliance: Choose software that sanitizes the devices in compliance with global data protection laws and standards, such as GDPR, SOX, HIPAA, etc.
Data breach in used hardware is the ‘Elephant in the Room’ that businesses must address. The following bullets demonstrate the key takeaways, brought to light by the recent data breach incident at Morgan Stanley:
- There are substantial risks associated with the careless disposal of IT assets. The threats come with both immediate and long-term consequences such as hefty fines, loss of reputation, etc.
- These risks are carried forward indefinitely. An un-sanitized hard drive containing the sensitive data belonging to a span that was 5 or 10 years ago is still a privacy concern. You need to take proper care of the device through every step in its lifespan, from acquisition to destruction.
- It is better to report and investigate a data breach incident as soon as it is discovered. Further, the firm should take the appropriate measures to fix the loopholes, including identifying & implementing the effective methods and policies to sanitize the hardware. It must also look for systematic provisions to generate and preserve a documented proof of sanitization for the individual storage unit.