SECURITY · CASE STUDIES

The Hardware Was Retired. The Data Wasn't. Three Case Files.

Disposal failures are unusually well documented — regulators publish the orders, courts publish the settlements. Three cases, the specific control that failed in each, and what the failures cost. All figures below are from public regulatory and court records.

By Brian Boynton Published 9 min read

TL;DR

Improperly disposed hardware is one of the most preventable breach categories on record. Three public cases show the pattern: an unqualified vendor, an unverified assumption, or an unwatched process — each turning routine disposal into eight-figure liability.

  • Morgan Stanley: a moving company hired for data-center decommissioning; devices resold with customer data; over $160M across the OCC, SEC, a class action, and state AGs.
  • Health Net: nine unencrypted server drives unaccounted for at a vendor-managed data center; 1.9 million individuals notified.
  • Brighton & Sussex NHS: ~1,000 drives sent for destruction, at least 252 resurfaced on eBay; a record ICO fine.
  • Every case failed on process, not technology: vendor qualification, serialized reconciliation, verified destruction.

01 / THE PATTERNThe breach that requires no hacking

Most breach categories involve an adversary. Disposal breaches mostly don't — they're self-inflicted, and that's precisely why regulators treat them harshly. There is no zero-day to blame when customer data walks out on a decommissioned drive; there is only a process that didn't exist or wasn't followed. The three cases below are unusually valuable because the record is public and specific: consent orders, SEC filings, settlement documents, and regulator penalty notices spell out exactly which control failed.

They also share a shape. In each one, the organization believed the disposal step was handled — by a vendor, by encryption, by a contractor — and had no verification that it actually was. The fix, in every case, is the same unglamorous machinery: qualified processors, serialized records that reconcile to inventory, and an unbroken chain of custody. (One note on sourcing: the figures below reflect public records as of this writing; see the FAQ for how we sourced them.)

02 / CASE FILE 1Morgan Stanley: the moving company decommission

What happened. During a 2016 decommissioning of two wealth-management data centers, Morgan Stanley Smith Barney used a moving and storage company — one with no experience in data destruction — to handle thousands of devices, and, per the SEC's order, failed to monitor its work. The moving company sold devices to a third party, and equipment containing unencrypted customer data was eventually resold on an internet auction site. The firm learned the scope in part when an IT consultant in Oklahoma emailed to say he'd bought hard drives online that were full of the bank's data. A separate 2019 hardware-refresh incident compounded it: a records reconciliation found 42 servers, potentially containing unencrypted customer information, missing. The devices had encryption software available — but per the SEC, it had not been activated.

What it cost. The public tally, from the regulators' and courts' own documents: a $60 million OCC civil money penalty (October 2020); a $60 million class-action settlement covering roughly 15 million customers (agreed January 2022); a $35 million SEC penalty (September 2022, with the SEC's enforcement director calling the failures “astonishing”); and a $6.5 million multistate attorneys-general settlement (2023). More than $160 million — for a project whose proper execution would have cost a rounding error of that.

The control that failed. Vendor qualification and oversight. A mover is not an ITAD provider; nothing in the engagement produced serialized destruction records, and no reconciliation caught the gap until outsiders did. Every question in our vendor due-diligence guide exists because of a failure shaped like this one.

03 / CASE FILE 2Health Net: nine drives, unaccounted for

What happened. In January 2011, IBM — the vendor managing Health Net's IT infrastructure — notified the insurer that it could not locate several server drives at a data center in Rancho Cordova, California. Forensic analysis determined the nine unencrypted drives held personal information of current and former members, employees, and providers: names, addresses, health information, Social Security numbers, financial data. In March 2011 Health Net began notifying about 1.9 million individuals nationwide, per the California Department of Managed Health Care, which opened its own investigation. It was the company's second disposal-adjacent incident in eighteen months — an unencrypted drive with years of member data had gone missing in 2009.

What it cost. Nationwide notification and credit monitoring at seven-figure scale, state investigations in California and Connecticut, a consolidated class action (later settled with credit monitoring, identity-theft insurance, and reimbursement benefits), and a lasting citation in every healthcare-ITAD conversation since — including this one.

The control that failed. Serialized accountability inside an outsourced environment. “Our vendor manages the data center” is an operating model, not a custody record. Drives at rest are still in scope for inventory reconciliation, and a missing serial is a reportable event whether or not anyone can prove misuse — under HIPAA, unaccounted-for PHI is the breach. Our healthcare ITAD field guide covers the BAA and accountability framework this case demands.

04 / CASE FILE 3Brighton & Sussex NHS: destruction that turned into eBay listings

What happened. In late 2010, an individual engaged through the trust's IT service provider was tasked with destroying roughly 1,000 hard drives held in a keycode-controlled room at Brighton General Hospital. Instead, at least 252 of the drives left the building and were sold on an internet auction site. A data-recovery company bought four and found trust data; months later a university reported that a student had bought more. The drives held highly sensitive records — including data on HIV and genitourinary-medicine patients, staff National Insurance numbers, and home addresses. The trust could not explain how the drives were removed during the contractor's five days on site.

What it cost. A £325,000 civil monetary penalty from the UK Information Commissioner's Office (June 2012) — at the time, the largest the ICO had ever issued. The trust protested it could not afford the fine and ultimately paid £260,000 under an early-payment reduction, alongside committing to secure media storage, supplier vetting, and an accredited disposal provider.

The control that failed. Witnessed, verified destruction. “Sent for destruction” and “destroyed” are different states, and only a per-drive record — serial in, certificate out, reconciled — distinguishes them. Subcontracting made it worse: the trust reportedly didn't know the individual had been engaged at all. Certifications like NAID AAA exist precisely to put audited controls (including unannounced audits) around this exact step.

05 / THE LESSONSThree cases, one checklist

The control failures, side by side
CaseRoot failureThe preventing control
Morgan StanleyUnqualified vendor, unmonitored; encryption present but never activatedCertified ITAD provider, verified engagement, serialized certificates reconciled to inventory
Health NetNo serialized accountability for media in an outsourced data centerInventory reconciliation covering vendor-managed environments; missing-media escalation
Brighton & Sussex NHSUnverified subcontracted destruction; no per-drive completion recordWitnessed or certificate-verified destruction, per serial, under an audited standard

Reduced to practice, the prevention stack is short: (1) qualify the processor — verify certifications by number, not by logo (the scorecard takes two minutes); (2) keep a serialized inventory and reconcile every disposal against it — the Morgan Stanley reconciliation that found 42 missing servers is the argument for doing it before a regulator does; (3) demand per-device certificates naming the NIST 800-88 method; (4) never let unverified assumptions — “it was encrypted,” “the vendor handles it” — substitute for records. None of this is sophisticated. That's the point: neither were the failures.

Case files FAQ

Where do these facts and figures come from?

From public primary records: the SEC's September 2022 press release and order (Morgan Stanley Smith Barney), the OCC's 2020 civil money penalty, the class-action settlement filings, state AG announcements, Health Net's public statements and the California DMHC's disclosures, and the UK ICO's penalty notice for the NHS trust. Figures reflect those records as of publication; this is informational reporting, not legal analysis.

Is a lost drive a “breach” if nobody proves misuse?

Frequently, yes — the trigger is usually that unauthorized access is reasonably possible, not proven harm. Under HIPAA, impermissible acquisition of unsecured PHI is presumed a breach unless a risk assessment shows low probability of compromise — unaccounted-for unencrypted drives rarely clear that bar. Health Net notified 1.9 million people over drives that were simply missing. (Informational only, not legal advice.)

Would encryption alone have prevented these?

It would have helped enormously — and it's also the trap. Morgan Stanley's devices had encryption capability that, per the SEC, was never activated: protection on paper only. Encryption prevents disposal exposure only if it was actually on, with sound key management, for the data's whole life on the media — the same condition 800-88 Rev. 2 puts on crypto erase. Verified sanitization or destruction is the control that doesn't depend on an earlier assumption having been true.

How do we stay off this list?

Four controls cover the documented failure modes: a certified processor whose certifications you verify by registration number; a serialized inventory reconciled against every disposition — including vendor-managed environments; per-device certificates naming the 800-88 method; and documented custody at every handoff. The due-diligence guide and the Vault's chain-of-custody and tracker templates operationalize all four.