The mistake? Tossing out old computers without wiping the hard drives.
In one episode described by the Securities and Exchange Commission, Morgan Stanley hired a moving company — which had “no experience or expertise” in data destruction — to decommission thousands of hard drives and servers holding customer data.
That company later sold thousands of those devices, some of which contained personal identifying information, to a third party. Eventually, the devices, still loaded up with sensitive data, wound up on an auction site.
The SEC didn’t mince words in laying out Morgan Stanley’s missteps.
Its “failures in this case are astonishing,” Gurbir Grewal, director of the SEC’s enforcement division, said in a statement. “If not properly safeguarded, this sensitive information…