Think Your End-of-Life Data is Destroyed? Think Again!

When it comes to our personal data, some companies will go above and beyond to obtain it. But, unfortunately, some companies don’t always take the same time and care when it comes to the destruction of that data. Recently, Morgan Stanley has come under fire for the possible data breach of their client’s information. On July 10, the financial institution issued a statement to their clients that “potential data security incidents” occurred relating to their personal information.

The incidents, which have occurred over four years, were caused by an ITAD (IT asset disposition) vendor misplacing a number of various computer equipment used to store customers’ personally identifiable information (PII).

Keeping Information Safe

A company like Morgan Stanley risks data security breaches every step of the way when opting for a third-party route; this can not only cause irreparable damage to their clients but to their brand as well. Likewise, the belief recycling hard disk drives (HDDs) and solid-state drives (SSDs) is best practice can, unfortunately, lead to significant consequences.

While some reputable data sanitization companies exist, if a company chooses to utilize an ITAD vendor instead of conducting end-of-life destruction in-house, the number of safety risks can be immeasurable. It can be far too easy for an ITAD vendor to mishandle or misuse drives when in transportation, being sorted by staff and in the actual acts of destruction and disposal. Some contracted salvage vendors have even been known to sell given equipment to online third parties.

It is a scary but familiar misbelief that simply erasing drives clean is enough to keep your information safe. Unfortunately, when erasing data off of a drive, it’s possible that unencrypted and encrypted information can linger and be easily accessible by hackers. Morgan Stanley chief information security officer, Gerard Brady, wrote, “The manufacturer subsequently informed us of a software flaw that could have resulted in small amounts of previously deleted data remaining on the disks in unencrypted form.”

"It is a scary but familiar misbelief that simply erasing drives clean is enough to keep your information safe"

While Morgan Stanley has issued a statement promising that they will pay for two years of credit monitoring for their customers whose data may have been breached, it frankly isn’t enough for some clients as this possible breach may not affect them until much later.

“There is no statute of limitations on future data breaches,” writes Bob Johnson of the National Association for Information Destruction (NAID). “If a hard drive turns up five or ten years down the road with personal information on it, it is still a data breach plain and simple. Ignoring missing or improperly wiped electronic media today simply means there are a bunch of time bombs floating around.”

Effective Ways to Destroy Data

This is the particular reason we at SEM stress that all hard disk drives be degaussed and destroyed and done so in-house. When destroying data in-house, companies can be positive that the data is successfully destroyed, whereas when given over to a vendor, the company forfeits any and all oversight. SEM degaussers use powerful magnetic fields to sanitize the magnetic storage media, which renders the drive completely inoperable. No matter the industry, purchasing in-house, end-of-life data destruction equipment is well worth the investment simply because it is impossible to be certain that all data has been destroyed otherwise. This can, in turn, potentially save the company more time and money in the long run by preventing breaches early on.

While Morgan Stanley was unaware of the dangers that come with hiring third-party data sanitization companies, they, along with their clients, are unfortunately the ones who are left to suffer the consequences of the vendor’s negligence.

At SEM we have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members is more than happy to help answer any questions you may have and help determine which machine will best meet your personal or regulated destruction needs.

(To read more about how one’s trash can easily become another’s treasure, read one of our previous blog posts here.)

Brought to You by

What’s Hot on Infosecurity Magazine?