$35 million fine for 15 million customer's PII. The 'clear message' is that a customer's PII is worth about $2. Meanwhile the customers are on the hook for fraud monitoring in perpetuity.
Until living, breathing, actual people face real consequences for this kind of thing, any enforcement actions are just theater.
At least humans are mostly controlled by ethics and morals.
Corporations, not so much.
Isn't like annually worth like $10.
If I cut open your £180k Aston Martin with an angle grinder to steal a pair of sunglasses that I sell in a pub for £10, should my fine be £11?
The SoP at those places was that hard drives from the data center NEVER left the building except through a device that destroyed them…. Their security guards were really into checking for them and etc.
It was a pretty common rule across those banks and etc at that time, and that was quite a while ago.
To be clear in one building there were a few thousand people working. When I visited myself and maybe a dozen or two dozen other people in the building had access to the data center. Cameras everywhere, appointment verification, IDs, man traps and all.
I'd visit and go up to the doors and passers by would stop to watch "he's going inside..."
Whatever a random drone was doing with their laptop, that's a whole other issue / policy.
It was even more fun at military sites. NOTHING non essential ever left. You, your ID (they held it), your clothing, glasses... that was all that came out, your laptop and any spare parts were left behind every time. If you went to the very special sites... you also made sure nothing was in your car that you didn't want to lose.
Guess the smartest people in the room weren't in the IT department ... Wonder if they chose that moving and storage company because they were a cheaper option.
The people who literally shredded the hard drives would give us the literal bits back.
It's kind of nutty but information is the life blood of hedge funds.
Though at the same time while we've gotten used to banks lagging horribly on tech, given their resources and the sensitivity of the information they deal with an argument can be made that they should be leading not lagging and that cost cutting and lack of leadership interest aren't great excuses for delays. I do think by 2015 yeah that was getting kind of bad. On the other hand, the penalty wasn't much ($35m in 2022 would be worth a lot less to them working back 7 years). It might still have been cheaper to setup FDE back then. Optimistically, there may be Morgan Stanley clients well off enough to mount real private lawsuits or at least take quite a lot of money elsewhere if they're irritated enough, so while this penalty alone might not be much of a lesson about PII perhaps they'll still come to regret it a little :\.
I wasn't working in IT so I have no idea what corporate policy was like at the time, but it was highly recommended in hacker circles. It can't have been that hard.
In the early 2000's, any sort of encryption was a non-trivial burden on already slow (by today's standards) systems. Plus the whole export encryption fiasco and more.
I'd say FDE didn't really take off until your mobile devices started to offer it by default, and make it easy enough that regular users don't ever need to think about it. Now pretty much all operating systems support FDE "out of the box".
Saying folks should have been running FDE back in the early 2000's is just absurd, really.
> I didn't read the report but wouldn't surprise me if this was some acquisition infra (it would explain why they hired a moving company)
I didn't read it yet, either, but this seems unlikely - why would an acquisition have so much customer data in their DC? And if they had so much data, why didn't they encrypt it beforehand? Anyway, in the end, it was still Morgan Stanley that hired the moving company, so they f-ed up either way.