Four Takeaways from the Morgan Stanley Debacle

Traveling through the network of the ITAD world these days are the cautionary examples of companies who find themselves in a data breach debacle. There is no room for error in an industry that handles valuable information and sensitive data - daily, hourly, and even minute-by-minute.

Let’s take a recent example, Morgan Stanley – how did it go so terribly wrong and why? If they covered their bases, you'll see that this could have been a whole different story or, more accurately, no story at all. They could have avoided becoming a headline or the more tragic consequences that followed - a hit to their reputation and bottom line.





4 Crucial Takeaways


1. No Plan in Place

Data destruction and managing the lifecycle of outdated equipment require a strategic plan and processes. Before hiring an ITAD vendor to manage end-of-life equipment, internal procedures and owners within the organization should first be established.


Companies need the necessary safeguards in place to protect against unsafe industry practices. Morgan Stanley did not develop and adhere to an operational strategy to manage its vendors. As a result, small process changes went unnoticed, and with no outlined procedures on their end, sensitive data was compromised. For example, someone should have been assigned to monitor the reporting internally. If there had been a clear owner for this task, Morgan Stanley would have realized their ITAD company had changed vendors.



2. Partnering with Inexperienced Vendors

Morgan Stanley knowingly contracted with a vendor with zero data destruction experience. In addition, this same vendor switched to a different e-scrap company without Morgan Stanley's knowledge or approval.



When you hire a vendor at a high level, you are bringing them on to represent your company's best interests. A reputable partner has built their business on experience and credibility. They have secure processes and reliable staff to protect your bottom line and reputation. However, finding a vendor to manage and dispose of sensitive data means vetting them thoroughly.



Ideally, when sourcing an ITAD vendor, you want one who can manage all the steps to IT asset disposition and is NAID AAA Certified (this is non-negotiable). A single-source vendor is solely responsible for keeping track of every step and has checks and balances in place to ensure zero leakage. If too many vendors are involved in handling data-bearing assets and moving them through multiple channels, the chances of human error increase.


For every service they provide, a vendor should be able to confidently illustrate how they will ensure your assets are never compromised. Take for example:

  • On-site data destruction – without it even leaving your premises, data on hard drives or other media can be safely destroyed. Verify NIST 800-88, Rev. 1, NSA, DoD guidelines are followed, and a Certificate of Destruction provided.

  • Transport – always supervised, in a locked box truck, and real-time tracking.

  • Facility standards – high-level of security, gated, 24/7 monitoring, etc.

  • Sanitization, reporting and logs - NIST 800-88, Revision 1, Re-verification, non-auditable reports, zero leakage, detailed sanitization reporting and e-waste certificates provided.


3. A Weak Chain of Custody

During the decommissioning process, the lack of documentation meant Morgan Stanley had no idea where their devices were or if they were being handled correctly. As a result, customer data was sitting exposed without their knowledge. In fact, if they had a clear chain of custody, they would've known before it was too late that their electronic devices were not being wiped of data.

With a strong chain of custody in place, you can also prove you are not at fault should your customer's data is compromised. In the case of Morgan Stanley, they did not verify their subcontractors destroyed the data before reselling the devices, nor did they have the documentation or certificates of destruction. With every IT asset disposition, a vendor should be able to offer you the paper trail to show you did everything possible to keep your customer and company safe.


4. Mistakes Are Costly

Too often, companies will go for the lowest bid to save some money. Morgan Stanley initially worked with one vendor but moved their contract to another company to save $100,000. Going the cheapest route, in this case, cost them. When it comes to highly sensitive data, this is not the area to cut corners.


Morgan Stanley paid hefty fines and legal settlements, adding up to millions and millions of dollars. But it also harmed them in more prominent ways - their credibility is tarnished, and building trust back takes an immense amount of time and effort. This one data breach will continue to cost Morgan Stanley for years to come.


Yes, this is a lesson in what not to do. More importantly, it is a reminder that the slightest glitch can have major repercussions. It's essential to have the right people and processes in place internally to manage IT asset disposition, but just as critical is an ITAD vendor who will assure you that your end-of-life data is absolutely 100% obsolete.




Data Slayer is a single source vendor & NAID AAA certified to protect your company and customers. We manage all the components including removals, logistics, inventory, reporting, data sanitization and logs. Contact Us to learn all the secure measures we take to eliminate any risks.