[HN Gopher] Morgan Stanley didn't wipe their hard drives before ...
___________________________________________________________________
Morgan Stanley didn't wipe their hard drives before giving them to
a third party
Author : Benlights
Score : 56 points
Date : 2022-09-20 20:03 UTC (2 hours ago)
(HTM) web link (www.sec.gov)
(TXT) w3m dump (www.sec.gov)
| baobabKoodaa wrote:
| The real mistake in this trainwreck was that Morgan Stanley
| didn't encrypt their hard drives.
| Sebb767 wrote:
| Fully agreed. People like to complain about disk encryption
| just being a security theater checkbox in a cloud or datacenter
| environment, but this is exactly why it is needed.
| kube-system wrote:
| Many devices that a business might throw away in 2015 may not
| have been devices that supported full disk encryption out of
| the box.
| Li7h wrote:
| >Moreover, during this process, MSSB also learned that the
| local devices being decommissioned had been equipped with
| encryption capability, but that the firm had failed to
| activate the encryption software for years.
| kadoban wrote:
| I've been using fde since like 2005 or so and I'm not even a
| bank. Seems like they don't have much excuse?
| kube-system wrote:
| That's at least two years before even the most forward
| thinking offices started using FDE on PCs. Bitlocker came
| out in 07.
| myself248 wrote:
| Yeah, MS was ultra behind. Scramdisk came out in 1998 or
| 99 as I recall.
|
| I wasn't working in IT so I have no idea what corporate
| policy was like at the time, but it was highly
| recommended in hacker circles. It can't have been that
| hard.
| Alupis wrote:
| Rather, things like Scramdisk were _ahead_ of their time
| and nearly exclusively for enthusiasts and security
| gurus.
|
| In the early 2000's, any sort of encryption was a non-
| trivial burden on already slow (by today's standards)
| systems. Plus the whole export encryption fiasco and
| more.
|
| I'd say FDE didn't really take off until your mobile
| devices started to offer it by default, and make it easy
| enough that regular users don't ever need to think about
| it. Now pretty much all operating systems support FDE
| "out of the box".
|
| Saying folks should have been running FDE back in the
| early 2000's is just absurd, really.
| xoa wrote:
| Yeah 2005 for FDE would be pretty early adopter
| territory. On the Mac side Apple launched FileVault
| version 1 with 10.3 in 2003, but that only encrypted user
| home directories (IIRC it effectively was an attempt at
| transparently running a home directory off an encrypted
| disk image). Actual FDE came with FileVault 2 and 10.7
| Lion, which wasn't until 2011.
|
| Though at the same time while we've gotten used to banks
| lagging horribly on tech, given their resources and the
| sensitivity of the information they deal with an argument
| can be made that they should be leading not lagging and
| that cost cutting and lack of leadership interest aren't
| great excuses for delays. I do think by 2015 yeah that
| was getting kind of bad. On the other hand, the penalty
| wasn't much ($35m in 2022 would be worth a lot less to
| them working back 7 years). It might still have been
| cheaper to setup FDE back then. Optimistically, there may
| be Morgan Stanley clients well off enough to mount real
| private lawsuits or at least take quite a lot of money
| elsewhere if they're irritated enough, so while this
| penalty alone might not be much of a lesson about PII
| perhaps they'll still come to regret it a little :\\.
| luma wrote:
| Are you running an EMC CLARiiON array with the export
| encryption option licensed? What works on your desktop
| isn't really comparable to what Morgan Stanley had on the
| datacenter floor 10 years ago.
| Sebb767 wrote:
| Yeah, but they don't have millions of dollars available
| and they don't store personal information of millions of
| people. Morgan Stanley is and was clearly able to afford
| this license and if you need to handle data this
| sensitive, you must meet the necessary precautions.
| rizza wrote:
| _Opinions are my own_ As someone who works for a large financial
| institution, THIS SHOULD NEVER HAVE HAPPENED! This could be
| deeply flawed security and controls processes, a culture of not
| my problem, their tech leadership being incompetent, or CFO
| driving CIO /CTO decision making. Either way this is not the sign
| of a healthy company and the rot likely runs much deeper. You
| dont make this kind of mistake in this industry at a firm of that
| size.
| duxup wrote:
| I used to visit the data centers of some very large financial
| institutions.
|
| The SoP at those places was that hard drives from the data center
| NEVER left the building except through a device that destroyed
| them.... Their security guards were really into checking for them
| and etc.
|
| It was a pretty common rule across those banks and etc at that
| time, and that was quite a while ago.
| cm2187 wrote:
| At the same time I heard several stories of people copying the
| files onto their desktop hard drives and leaving the building
| with them when lehman went bust.
| duxup wrote:
| I didn't see any indication that the hard drives from the
| data center policy had anything to do with drone's laptops
| coming and going.
|
| To be clear in one building there were a few thousand people
| working. When I visited myself and maybe a dozen or two dozen
| other people in the building had access to the data center.
| Cameras everywhere, appointment verification, IDs, man traps
| and all.
|
| I'd visit and go up to the doors and passers by would stop to
| watch "he's going inside..."
|
| Whatever a random drone was doing with their laptop, that's a
| whole other issue / policy.
|
| It was even more fun at military sites. NOTHING non essential
| ever left. You, your ID (they held it), your clothing,
| glasses... that was all that came out, your laptop and any
| spare parts were left behind every time. If you went to the
| very special sites... you also made sure nothing was in your
| car that you didn't want to lose.
| LinuxBender wrote:
| Same. We had a "keep your disk" policy with both HP and Dell.
| Newer managers and directors hated it because they saw the
| price-tag and did not understand the incredible value it
| brought to the sales team when discussing security and privacy.
| We gained significant confidence from large prospects and
| customers when they learned we physically shredded disks and
| logged each serial number. This was in addition to the customer
| data being encrypted at-rest.
| hangonhn wrote:
| Same. When I used to work at a hedge the standard procedure was
| to zero them out first. Then retain the hard drives in a
| closet. Then someone could come periodically to physically
| destroy them.
| toomuchtodo wrote:
| How was the process governed so that drives actually were
| wiped before going out the door? That's really the challenge,
| the humans managing the kit are the weakest link. I do like
| the comment about drives only able to depart the premises
| through a shredder.
| snarfy wrote:
| > "Today's action sends a clear message to financial institutions
| that they must take seriously their obligation to safeguard such
| data."
|
| $35 million fine for 15 million customer's PII. The 'clear
| message' is that a customer's PII is worth about $2. Meanwhile
| the customers are on the hook for fraud monitoring in perpetuity.
| routerl wrote:
| "Punishable by fine" means "legal if you can afford it".
|
| Until living, breathing, actual people face real consequences
| for this kind of thing, any enforcement actions are just
| theater.
| cyanydeez wrote:
| For corporations it means, "make sure there's a line item for
| the fines"
|
| At least humans are mostly controlled by ethics and morals.
|
| Corporations, not so much.
| cyanydeez wrote:
| 2$ for enforcement.
|
| Isn't like annually worth like $10.
| billybuckwheat wrote:
| >MSSB hired a moving and storage company with no experience or
| expertise in data destruction services to decommission thousands
| of hard drives and servers
|
| Guess the smartest people in the room weren't in the IT
| department ... Wonder if they chose that _moving and storage
| company_ because they were a cheaper option.
___________________________________________________________________
(page generated 2022-09-20 23:01 UTC)