Everyone needs to think about the importance of hard drive destruction. Consider what’s on your work or personal computer. Yearly income taxes that you’ve saved as PDF files, medical records, passwords, emails, photocopies of your driver’s license, etc.
Business owners likely have customers’ credit card information, names, addresses, and contact information. Medical practices have medical information, and banks have SSNs, birth dates, bank accounts, etc. In the wrong hands, this is dangerous.
Morgan Stanley Made One Big Mistake During a Data Center Decommissioning
Morgan Stanley Smith Barney LLC was fined $35 million after customers’ personal identifying information (PII) was left on hard drives and servers during a 2016 data center decommissioning. The company decided to save $100,000 when it hired a moving company that had no experience in ITAD or data destruction. They hired the company believing they would destroy data and recycle the electronics, but the moving company didn’t do that nor did Morgan Stanley ask for proof.
Morgan Stanley hadn’t received any verification that data destruction took place or that devices that were supposed to be destroyed were actually destroyed, which was a big mistake. The company allegedly were using asset inventory control software in the early stages of the decommissioning, but they soon stopped.
When the moving company sold the hard drives to a third party, that third party auctioned them off. Worse, the company was unable to recover all of the hard drives and servers. A year after the data center decommissioning, an IT consultant purchased a number of hard drives in an auction and found the drives contained PII. Another company admitted that they’d received 3,000 pounds of backup tapes and claims the tapes were incinerated, but there’s no documentation to prove that it really took place.
This leads to June 2021 when Morgan Stanley reclaimed 14 hard drives. Thirteen of those hard drives contained PII. Many of the hard drives have never been recovered. All that’s known is that the moving company moved many to storage in NYC where the devices may have been shipped to other countries. Where there is no evidence that the information is being used for illegal purposes, there’s no guarantee that that won’t happen. All Morgan Stanley customers can do is wait and see.
Other Companies Have Had Similar Errors in Judgment
While improper data destruction and data decommissioning were costly for Morgan Stanley, other companies have made similar mistakes. Take a closer look at some of the recent cases.
Over 100,000 patients were affected by improper hard drive disposal by a community health center in Waterville, Maine. An employee at a third-party data storage facility disposed of several hard drives without following proper destruction methods. Information at risk of theft includes dates of birth, addresses, names, lab results, medical insurance information, and SSNs.
Back in 2019, a security consultant purchased 41 computers from companies that take donated items and sell them as refurbished items. He also purchased 27 flash drives or SD cards, 11 hard drives, and 6 cell phones. All of these came from stores that claim to destroy data when refurbishing, but people don’t often get a certificate providing proof the data has been destroyed.
After using some tools he created to pull PII, he found only two of the computers had been properly erased. Only three of the electronics were encrypted. He was able to pull SSNs, credit card numbers, driver’s license numbers, and dates of birth. The message was clear, consumers need to be very careful about who they’re donating their used electronics to and insist on getting a certificate of destruction.
Some Companies Are Shredding Hard Drives Out of Precaution
On the other end of the spectrum are companies that are destroying their computers and drives to ensure data is irretrievable. While it’s certain that chopping up hard drives into tiny pieces will prevent the loss, it can be overkill. If a hard drive is only a few years old, it still has years of use. Wiping data is just as effective, and it helps schools and non-profit organizations who can’t afford brand-new computers. Items can be refurbished and donated or sold at steep discounts.
Before you decide that shredding is the only option, take the time to discuss the best options with an expert in data sanitization and refurbishing. You might find your items have value, and you can recover some of that value. ERI helped one Fortune 500 company recover a third of the cost of a data center decommissioning by remarketing usable items after data destruction. What couldn’t be remarketed was destroyed and recycled.
How do companies like ERI destroy data without shredding the hard drives? There are several options.
Factory Reset – Most people think a simple factory reset is enough. It removes pathways to files that are on existing hard drives. While this is the measure many homeowners use, it’s not enough. Someone with the right expertise can restore those pathways to get the data from the hard drive. If a company offers to do factory resets, demand another option.
Degaussing – Degaussing is a method where powerful magnets destroy the magnetic field of a storage device. When the magnetic field is destroyed, the data is irretrievable. But, it only works on hard drives that use magnetic fields. It’s not a good option for an SSD.
Data Sanitization – Ideally, you want to have a company that performs data erasure following NIST 800-88 standards or better. It clears, purges, and destroys information on a hard drive or storage device, whether it’s HDD or SSD.
Choose ERI for Safe, Secure Hard Drive Destruction
Whether you own a business or are a consumer, you have choices when it comes to safe, responsible computer recycling. ERI is your partner in responsible electronics recycling.
Consumers can bring computers to Staples and Best Buy and know that they will be securely transported to ERI for hard drive destruction. Your private information is safe and destroyed following government standards. Not sure you like that option? You can purchase postage-paid secure boxes from ERI and ship them directly to one of our secure facilities for processing.
Do you have a lot of computers to recycle? We’ve all done it. Your laptop or computer is no longer of use, so you tuck it away in an attic, basement, or closet and forget about it until you’re out of room. Look into Best Buy’s pick-up recycling service where you can have an unlimited number of laptops and desktops, as well as two large appliances.
Businesses can hire our services and have us destroy data right in your building. If you’d rather have proof that data is destroyed before your computers are transported to one of our nine U.S. facilities, we’re happy to make those arrangements. You still get a certificate of destruction if your items come to one of our secure, guarded facilities. Nothing is sent overseas.
We also offer higher-level services if your organization or company requires enhanced, high security, or demilitarization services. Talk to our specialists to learn more about ERI’s hard drive destruction services.