Morgan Stanley Smith Barney has alerted investors — 34,000 of them — that CDs with sensitive information were lost and that they should be on the lookout for possible fraud. The CDs were password-protected…but were not protected with data encryption software like AlertBoot.
A terrible move in hindsight, but a common one, especially when it seems to involve government agencies.
CDs were Sent to NY Dept of Tax
I’m not one that normally excuses bad corporate behavior, but I’ve got to say that Morgan Stanley can’t be blamed entirely. Certainly, not using some type of encryption software to protect the data before sending it out was a mistake (if that was company protocol at the time…well, the protocol was wanting). But, consider this:
The company mailed the CDs containing information about investors in tax-exempt funds and bonds to the New York State Department of Taxation and Finance. It appears the package was intact when it reached the department, but by the time it arrived on the desk of its intended recipient the CDs were missing, Wiggins said.
The state notified Morgan Stanley Smith Barney about the lost data on June 8. The company took two weeks to conduct an “exhaustive search” of all the facilities the package passed through. [abcnews.go.com, my emphases]
Now, if the package arrived fine at the Department of Taxation and Finance and got lost somewhere “in there”…well, I can hardly hold Morgan Stanley solely responsible. It still shares responsibility because sending sensitive information in the mail without adequate data protection is a stupid, stupid idea.
However, an impartial man (such as myself, who’s not affected by this particular data breach) would generally point fingers at the guys who received it and then lost it. In fact, all those headlines you read are slightly misleading (“Morgan Stanley Client Data Breached”) because there is an implicit assumption that Morgan Stanley breached it. A better headline would be “Tax Guys Lose Morgan Stanley Client Data.”
Of course, the question is, were the CDs actually delivered to the tax men? Or is the banker’s PR department working overtime to contort words to make things sound like one thing when it means something else? Because if it is the case that the CDs were delivered intact, why the heck is Morgan Stanley conducting an exhaustive search when it should be the Department of Taxation and Finance taking that action?
If You Have Time to Set Up a Password on a File…
…you have time to encrypt it. Honestly, with today’s computing power on the desktop, be it a laptop or something else, encrypting a couple of spreadsheets takes about as much time as setting up password-protection on it. In fact, the hardest part about encryption might be deciding on a password to use.
This is not the first time I’ve read of an incident where sensitive data is sent to government agencies via some kind of disk, be it a CD or a DVD or whatever. I’m not sure why that option is even present. After all, if it fits on CD or DVD, chances are that it’s going to take longer to copy it to a disk, mail it, and wait for the recipient to receive it than to, say, email it or sent it via FTP or whatever. (Although I have admitted at least once in the past two weeks that perhaps this retro way of doing things is not such a bad idea with all the organizations that have fallen to hackers.)
What really is crazy, though, are the requirements I’ve read where the government agency requires, REQUIRES that a private courier be used for shipping in such instances, but no such requirement regarding disk encryption is present. It seems to me that if you’re imposing requirements on some other person or organization, perhaps it makes sense to impose just one more to ensure safety.
Related Articles and Sites: