{"id":48742,"date":"2022-10-05T09:00:00","date_gmt":"2022-10-05T09:00:00","guid":{"rendered":"https:\/\/www.csoonline.com\/article\/3675290\/the-astronomical-costs-of-an-asset-disposal-program-gone-wrong.html#tk.rss_security"},"modified":"2022-10-05T09:00:00","modified_gmt":"2022-10-05T09:00:00","slug":"the-astronomical-costs-of-an-asset-disposal-program-gone-wrong","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/the-astronomical-costs-of-an-asset-disposal-program-gone-wrong\/","title":{"rendered":"The astronomical costs of an asset disposal program gone wrong"},"content":{"rendered":"
<\/div>\n

Every entity should have an information technology asset disposal (ITAD) program as part of its information security process and procedure. Indeed, every time an IT asset is purchased, the eventual disposal of that asset should already be defined within an ITAD. When one doesn\u2019t exist, data becomes exposed, compromises occur, and in many cases, fines are levied. Such was the case with Morgan Stanley Smith Barney (MSSB), which continues to feel the repercussions of their ITAD\u2019s failure over the past several years, which has now resulted in $155 million USD in fines and penalties.<\/p>\n

On September 20, 2022, the Securities and Exchange Commission (SEC) reached a settlement agreement<\/a> in which MSSB paid a $35 million USD penalty for the improper disposal of devices containing MSSB customer persona identifying information (PII).<\/p>\n

In October 2020, a consent order was issued by the Office of the Comptroller of Currency<\/a> in which MSSB agreed to pay a penalty of $60 million. This was followed in January 2022 with the settlement of a class-action lawsuit<\/a> in which MSSB agreed to pay an equal amount to victims of the ITAD failure and the resultant exposure of data.<\/p>\n

Consequences of a deficient ITAD program<\/h2>\n

Within the SEC\/MSSB settlement document<\/a>, it is clear that MSSB had an ITAD program in place, yet the program was deficient, inasmuch as it was \u201cnot reasonably designed\u201d and \u201cfailed to ensure that a qualified vendor was used for data decommissioning.\u201d In one of the documented instances, MSSB did the equivalent of ordering off the menu at a restaurant \u2013 they had a moving company, Triple Crown, whose skillset MSSB had identified in their own risk assessment dated 2013 as \u201clocal trucking, storage, and long-distance moving.\u201d<\/p>\n

In 2021 court filing, MSSB passed the buck<\/a> and described a daisy chain of contractors and subcontractors who caused the data exposure. MSSB blamed Triple Crown for its failure to remove, wipe, and recycle the devices securely. Despite an agreement that Triple Crown was to have obtained MSSB\u2019s consent prior to engaging a subcontractor, the bank asserted that Triple Crown sold the devices to AnythingIT, telling MSSB that the devices had been destroyed. AnythingIT also failed to destroy the devices and continued the daisy chain of reselling them to KruseCom. <\/p>\n

When asset disposal becomes asset deception<\/h2>\n

Discussing the MSSB ITAD failure, Kyle Marks, ITAD chain of custody expert and CEO of Retire-IT observed that \u201chow Morgan Stanley handled ITAD is not unusual. Getting caught is. ITAD has a problem with incentives. Everybody has an incentive to hide problems in IT asset disposition. ITAD is the last step in the very long journey of the IT asset lifecycle.\u201d<\/p>\n