In 2020, the SEC charged Morgan Stanley Smith Barney with failing to protect customer data during IT equipment decommissioning. The details were stunning — not because they involved sophisticated hacking, but because the failures were so basic.
Starting in 2016, Morgan Stanley hired a moving company — not a certified ITAD vendor — to decommission thousands of servers and hard drives from two data centers. The vendor was supposed to wipe the drives and dispose of the equipment. Instead, the equipment was resold on the secondary market with customer data still intact.
We're not talking about obscure metadata fragments. The drives contained unencrypted personally identifiable information for approximately 15 million customers — Social Security numbers, financial account numbers, dates of birth, and addresses. Some of the equipment went through multiple resellers before anyone noticed. Morgan Stanley ultimately found that it could not even locate some of the devices.
The fallout was severe. The SEC imposed a $35 million civil penalty. Morgan Stanley settled class-action lawsuits for $60 million. The OCC assessed an additional $60 million penalty. Additional state-level actions followed. Total exposure exceeded $160 million, and the reputational damage continues years later.
What went wrong — and what it tells you about choosing a vendor:
The vendor wasn't qualified. Morgan Stanley hired a company whose primary business was moving and storage, not data destruction. The vendor had no relevant certifications, no documented destruction process, and no chain of custody procedures. Lowest bidder won the contract. The data lost.
There was no verification. Morgan Stanley did not independently verify that data had been destroyed. They relied entirely on the vendor's assurance. No Certificates of Destruction were produced. No serial-number-level tracking existed. When the SEC asked for proof of destruction, Morgan Stanley couldn't produce it — because it didn't exist.
The equipment was resold without oversight. The vendor resold the equipment to secondary buyers, who resold it again. By the time data-intact drives were discovered, the equipment had changed hands multiple times across multiple states. There was no downstream disposition tracking whatsoever.
No one was monitoring after pickup. Once the equipment left Morgan Stanley's facilities, there was zero visibility into what happened to it. No status updates, no milestone confirmations, no documentation delivered. The entire process operated on blind trust — and blind trust failed catastrophically.
How to evaluate whether your vendor would survive the same scrutiny:
Ask for a sample Certificate of Destruction. If they can't show you one — with per-device serial numbers, destruction method, verification results, and technician identification — that tells you everything.
Ask about their chain of custody process. Who has possession of your equipment at every stage? How is it documented? Is there photographic evidence? If the answer is vague, your equipment is entering a black hole.
Ask about downstream disposition. What happens after the data is destroyed? Is equipment remarketed? To whom? Is anything exported offshore? Can they produce a Final Disposition Report showing the outcome for every asset?
Ask about their communication process. Will you hear from them after pickup? When? How often? If the vendor's process ends at "we loaded the truck," you're repeating Morgan Stanley's mistake.
Ask whether they've ever had a data incident. Honest vendors will tell you how they handle failures — drives that don't pass verification, equipment that can't be accounted for, devices that arrive damaged. The right answer involves documented escalation procedures. The wrong answer is silence.
The ITAD industry is full of vendors who look credible on paper. Morgan Stanley's vendor probably looked credible too. The difference is in execution — processes that are documented, verified, and visible at every step. That's the bar. If your vendor can't clear it, your vendor is a liability.
Sentinel Data Solutions was built around the specific failures that cost Morgan Stanley $160 million. Our documentation, verification, and communication processes exist because we studied what went wrong and designed a system that prevents it. If you want to see exactly what our process looks like, download our sample Certificate of Destruction or contact us for a walkthrough.