Underpinning the reluctance to move away from shredding is the fear that data could leak, triggering fury from customers and huge fines from regulators.
Last month, the US Securities and Exchange Commission fined Morgan Stanley $35 million for an “astonishing” failure to protect customer data, after the bank’s decommissioned servers and hard drives were sold on without being properly wiped by an inexperienced company it had contracted. This was on top of a $60 million fine in 2020 and a $60 million class action settlement reached earlier this year. Some of the hardware containing bank data ended up being auctioned online. While the incident stemmed from a failure to wipe the devices before selling them on, the bank now mandates that every one of its data-storing devices is destroyed—the vast majority on site. This approach is widespread.
One employee at Amazon Web Services, who spoke on condition of anonymity, explained that the company shreds every single data-storing device once it is deemed obsolete, usually after three to five years of use: “If we let one [piece of data] slip through, we lose the trust of our customers.” Amazon declined to comment.
A person with knowledge of Microsoft’s data disposal operations says the company shred everything at its 200-plus Azure data centers. Microsoft says “we currently shred all [data-bearing devices] to ensure customer data privacy is maintained fully.”
arstechnica.com
