>Moreover, during this process, MSSB also learned that the local devices being decommissioned had been equipped with encryption capability, but that the firm had failed to activate the encryption software for years.
Are you running an EMC CLARiiON array with the export encryption option licensed? What works on your desktop isn't really comparable to what Morgan Stanley had on the datacenter floor 10 years ago.
Yeah, but they don't have millions of dollars available and they don't store personal information of millions of people. Morgan Stanley is and was clearly able to afford this license and if you need to handle data this sensitive, you must meet the necessary precautions.
Just because the company has money, doesn't mean the department or line of business does. I didn't read the report but wouldn't surprise me if this was some acquisition infra (it would explain why they hired a moving company)
Building a nuclear reactor without shielding is not okay just because the business department responsible for the construction doesn't have it in their budget this year. If you can't afford to encrypt this amount of data, you can't afford to store it, end of story.
> I didn't read the report but wouldn't surprise me if this was some acquisition infra (it would explain why they hired a moving company)
I didn't read it yet, either, but this seems unlikely - why would an acquisition have so much customer data in their DC? And if they had so much data, why didn't they encrypt it beforehand? Anyway, in the end, it was still Morgan Stanley that hired the moving company, so they f-ed up either way.
Yeah 2005 for FDE would be pretty early adopter territory. On the Mac side Apple launched FileVault version 1 with 10.3 in 2003, but that only encrypted user home directories (IIRC it effectively was an attempt at transparently running a home directory off an encrypted disk image). Actual FDE came with FileVault 2 and 10.7 Lion, which wasn't until 2011.
Though at the same time while we've gotten used to banks lagging horribly on tech, given their resources and the sensitivity of the information they deal with an argument can be made that they should be leading not lagging and that cost cutting and lack of leadership interest aren't great excuses for delays. I do think by 2015 yeah that was getting kind of bad. On the other hand, the penalty wasn't much ($35m in 2022 would be worth a lot less to them working back 7 years). It might still have been cheaper to setup FDE back then. Optimistically, there may be Morgan Stanley clients well off enough to mount real private lawsuits or at least take quite a lot of money elsewhere if they're irritated enough, so while this penalty alone might not be much of a lesson about PII perhaps they'll still come to regret it a little :\.
Yeah, MS was ultra behind. Scramdisk came out in 1998 or 99 as I recall.
I wasn't working in IT so I have no idea what corporate policy was like at the time, but it was highly recommended in hacker circles. It can't have been that hard.
Rather, things like Scramdisk were ahead of their time and nearly exclusively for enthusiasts and security gurus.
In the early 2000's, any sort of encryption was a non-trivial burden on already slow (by today's standards) systems. Plus the whole export encryption fiasco and more.
I'd say FDE didn't really take off until your mobile devices started to offer it by default, and make it easy enough that regular users don't ever need to think about it. Now pretty much all operating systems support FDE "out of the box".
Saying folks should have been running FDE back in the early 2000's is just absurd, really.