In 2022, the Securities and Exchange Commission fined Morgan Stanley $35 million for a remarkably basic security failure: the firm had decommissioned thousands of hard drives and servers containing customer financial data without erasing them first. Some of those drives ended up for sale on the internet with unencrypted personal records of roughly 15 million customers still intact. Morgan Stanley is not an outlier. Study after study confirms that a significant percentage of used drives sold online contain recoverable personal, medical, and financial data from their previous owners.
Key Takeaways:
- Morgan Stanley paid $95 million in combined penalties after unwiped drives containing customer data were resold online
- NHS trusts in the UK were fined hundreds of thousands of pounds after patient records appeared on eBay drives
- Independent studies consistently find recoverable data on 30-42% of used drives purchased from secondary markets
- Every major breach traced back to the same root cause: no verified erasure process and no chain of custody for decommissioned hardware
- Proper erasure software with certificates of destruction, like BitRaser, would have prevented each of these incidents
Morgan Stanley: $95 Million in Penalties Over Unwiped Drives
The Morgan Stanley case is the most expensive example of what happens when drive disposal goes wrong, and the details reveal just how simple the failure was.
Between 2016 and 2019, Morgan Stanley decommissioned equipment from two data centers. Rather than using a certified IT asset disposition (ITAD) vendor or wiping the drives in-house before disposal, the firm contracted with a moving company — a company with no data destruction expertise, no certifications, and no track record in handling sensitive media.
That company was supposed to transport the equipment to a destruction facility. Instead, thousands of drives containing unencrypted customer data — names, Social Security numbers, account numbers, and financial records of approximately 15 million current and former clients — went missing or were resold on secondary markets. Some of the drives turned up for sale on an internet auction site, data still intact.
The Regulatory Fallout
The consequences came in waves:
- 2020: A $60 million class action settlement with affected customers
- 2022: A $35 million fine from the SEC for "failures to protect customer data" including the firm's failure to properly dispose of devices containing personal information
The SEC's enforcement order specifically cited Morgan Stanley's lack of adequate decommissioning policies and its failure to verify that data had been destroyed before hardware left the firm's control. The firm had no documented process for tracking drives through the disposal chain, no requirement for certificates of erasure, and no audit mechanism to confirm destruction had actually occurred.
What Went Wrong
The root causes were organizational, not technical:
- No verified erasure process — Drives were handed off without being wiped first
- Unvetted third-party vendor — A moving company, not a certified ITAD provider, handled sensitive equipment
- No chain of custody — The firm could not account for where individual drives ended up
- No encryption at rest — Customer data sat on drives unencrypted, so anyone with physical access could read it
- No post-disposal audit — Nobody checked whether destruction actually happened
Any one of these gaps alone creates risk. Together, they created an inevitability.
Bottom Line: Morgan Stanley's breach was not caused by a sophisticated attack or an unknown vulnerability. It was caused by handing unwiped hard drives to the wrong people with no verification. A standard media sanitization policy and certified erasure software would have cost a fraction of the $95 million in penalties.
NHS Trusts: Patient Records Sold on eBay
The UK's National Health Service has been hit repeatedly by data breaches tied to improperly disposed drives, and the incidents illustrate how outsourcing destruction without oversight creates exposure.
Brighton and Sussex University Hospitals (2010)
In 2010, the Information Commissioner's Office (ICO) discovered that hard drives containing highly sensitive patient data from Brighton and Sussex University Hospitals NHS Trust had been sold on eBay. The drives contained records covering patients with HIV, sexual health conditions, and other confidential medical information.
The trust had contracted a third-party company to destroy the drives. Instead of destroying them, the contractor sold them. The ICO issued a 325,000 pound fine in 2012 — at the time, one of the largest penalties the ICO had ever imposed.
NHS Surrey (2013)
A similar incident occurred with NHS Surrey. The trust hired a contractor to destroy over 3,000 hard drives. The contractor sold the drives online without wiping them. Buyers who purchased the drives from eBay found patient health records, including names, diagnoses, and treatment details, easily recoverable using standard data recovery tools.
The ICO fined NHS Surrey 200,000 pounds. In its enforcement notice, the ICO noted that the trust had "failed to have adequate measures in place to ensure the personal data held on the hard drives was effectively deleted or destroyed."
The Pattern
Both cases share the same failure pattern as Morgan Stanley:
- Drives handed to third parties without pre-disposal wiping
- No oversight or verification that destruction occurred
- Contractors prioritized profit over compliance
- No certificates of erasure were required or generated
For healthcare organizations subject to strict data protection requirements — whether HIPAA in the US or the Data Protection Act in the UK — these cases demonstrate that outsourcing destruction does not outsource responsibility. The data controller remains liable regardless of which vendor failed.
Used Drive Studies: The Scale of the Problem
Individual breaches make headlines, but academic and industry studies reveal that recoverable data on used drives is not exceptional. It is the norm.
Blancco and Ontrack Study (2019)
Blancco Technology Group partnered with data recovery firm Ontrack to purchase 159 used drives from eBay and Amazon Marketplace sellers in the US and UK. Their findings:
- 42% of drives contained residual data
- 15% contained personally identifiable information (PII) — Social Security numbers, dates of birth, financial records
- Recoverable files included emails, photos, documents, spreadsheets, and browser data
- Many sellers had listed the drives as "wiped" or "formatted"
The study confirmed that sellers' claims of having erased their drives were unreliable. Formatting, as we explain in our article on why formatting does not erase data, removes only the file system index and leaves actual data intact.
University of Glamorgan Studies (2005-2009)
Researchers at the University of Glamorgan in Wales conducted a multi-year series of studies, purchasing hundreds of used drives from online marketplaces and secondhand shops across the UK, US, Germany, France, and Australia.
Their 2009 study of 300 drives found:
- 34% contained recoverable data
- Recovered files included corporate financial records, legal case files, medical data, and government documents
- Only 1 in 10 drives had been properly sanitized
- The problem was consistent across all countries studied — this was not limited to any single market
MIT Study (2003)
In one of the earliest large-scale investigations, MIT researchers Simson Garfinkel and Abhi Shelat purchased 158 used drives from secondhand markets. They recovered:
- Over 5,000 credit card numbers
- Medical records, personal emails, and corporate data
- Only 12 of 158 drives (about 8%) had been properly sanitized
While the MIT study is now over two decades old, the Blancco 2019 study shows the percentage of improperly wiped drives has barely improved. The tools to erase data properly have gotten easier to use, but adoption remains low.
Corporate Data on Refurbished Equipment
Beyond individual sellers, corporate equipment enters secondary markets through leasing returns, bulk liquidation, and employee device programs. A 2017 study by Rapid7 found that enterprise equipment purchased from secondary markets frequently contained recoverable corporate data, including VPN credentials, internal network configurations, and customer databases.
When organizations upgrade hardware without a formal decommissioning process, entire batches of drives can enter the resale pipeline with sensitive data intact.
Lessons Learned: What Every Organization Should Do
Every breach and study covered above traces back to the same preventable failures. Here is what proper drive disposal looks like.
1. Wipe Before Anything Leaves Your Control
Never hand a drive to a third party — whether for resale, recycling, or destruction — without erasing it first. Use certified erasure software that follows NIST 800-88 guidelines and generates a verifiable certificate of destruction. Tools like BitRaser produce tamper-proof erasure reports tied to each drive's serial number.
2. Maintain a Chain of Custody
Track every drive from the moment it is removed from service until it is confirmed erased or destroyed. Record the drive serial number, the date it was removed, who handled it, the erasure method used, and the date of verified destruction. A formal media sanitization policy should define this workflow.
3. Verify, Do Not Trust
Do not take a vendor's word that drives were destroyed. Require certificates of erasure with drive serial numbers. Conduct periodic audits where you run data recovery tools on a sample of drives post-wipe. Trust is not a security control.
4. Vet Your Vendors
If you outsource any part of the disposal process, work only with certified ITAD vendors who carry certifications like R2, e-Stewards, or NAID AAA. Verify their certifications are current. Morgan Stanley's error was not outsourcing — it was outsourcing to an unqualified company.
5. Encrypt Data at Rest
Full-disk encryption provides a safety net even if other controls fail. An encrypted drive that falls into the wrong hands without being wiped still requires the encryption key to access data. This is not a replacement for proper erasure, but it limits the blast radius of a process failure.
What This Means for Individuals
You do not need to be a Fortune 500 company to be affected. Every time you sell an old laptop on eBay, donate a computer to a school, or drop a PC at a recycling center, your drives carry the same risk. Personal tax returns, saved passwords, banking sessions, photos, and medical records are all recoverable from a drive that was only formatted or factory-reset.
Before any drive leaves your possession, follow our guide to wiping a hard drive before selling or see our complete guide to wiping a hard drive for step-by-step instructions. A single-pass wipe with free tools like DBAN or ShredOS takes a few hours and eliminates the risk entirely for HDDs.
For SSDs, a standard overwrite is not enough due to wear leveling. Use the manufacturer's secure erase tool or a dedicated solution like BitRaser that supports firmware-level SSD sanitize commands.
Frequently Asked Questions
What happened in the Morgan Stanley data breach?
Morgan Stanley decommissioned thousands of servers and hard drives from its data centers between 2016 and 2019 without properly erasing them. The firm hired an unvetted moving company with no data destruction expertise, and drives containing unencrypted records of approximately 15 million customers ended up for sale online. The SEC fined Morgan Stanley $35 million in 2022, on top of a $60 million class action settlement in 2020.
How much was Morgan Stanley fined for improper drive disposal?
Morgan Stanley paid approximately $95 million in combined penalties: a $60 million class action settlement in 2020 and a $35 million SEC fine in September 2022. These penalties covered failures to properly decommission data center equipment containing customer financial records.
What was the NHS data breach involving hard drives?
Multiple NHS trusts were fined after contractors hired to destroy hard drives instead sold them online. Brighton and Sussex University Hospitals NHS Trust was fined 325,000 pounds after patient records including HIV diagnoses were found on drives sold on eBay. NHS Surrey was fined 200,000 pounds after over 3,000 drives containing patient data were resold without being wiped.
How often do used hard drives contain recoverable data?
Studies consistently find recoverable data on 30 to 42 percent of used drives sold through secondary markets. The 2019 Blancco and Ontrack study found data on 42% of 159 drives from eBay and Amazon, with 15% containing PII like Social Security numbers and financial records. The University of Glamorgan found data on 34% of 300 drives in 2009.
Can data be recovered from drives that were formatted before sale?
Yes. Formatting removes only the file system index — the actual data remains on the drive. Every major used-drive study has confirmed that standard recovery software can retrieve files from formatted drives within minutes. Only verified overwriting with dedicated erasure software or physical destruction prevents recovery.
What should companies do to prevent data breaches from disposed drives?
Establish a formal media sanitization policy. Use NIST 800-88 compliant erasure software that generates certificates of destruction. Verify all erasure with post-wipe audits. Maintain a documented chain of custody for every drive from removal to confirmed destruction. Work only with certified ITAD vendors and never hand drives to unvetted contractors.
Is physical destruction of hard drives always necessary?
No. Software-based overwriting following NIST 800-88 guidelines is sufficient for most scenarios and allows drives to be reused or resold. Physical destruction is recommended when drives have failed and cannot be overwritten, or when organizational policy requires it for the highest data classifications.
What regulations require proper hard drive disposal?
Multiple regulations mandate proper data destruction. HIPAA covers protected health information, GDPR protects personal data of EU residents, PCI DSS applies to cardholder data, SOX covers financial records, and CMMC addresses controlled unclassified information in defense. Penalties for non-compliance range from thousands to millions of dollars per incident.
The Bottom Line
The pattern across every case study is the same: organizations and individuals trusted that their data was gone without verifying it. Proper erasure with certified tools and a documented chain of custody would have prevented every one of these breaches. Whether you are decommissioning a data center or selling a laptop, wipe your drives with verified software, keep the certificate, and never assume formatting was enough.
Last updated: February 2026. We regularly review and update our guides to ensure accuracy.
Sources:
- U.S. Securities and Exchange Commission. "Morgan Stanley Smith Barney LLC Agrees to Pay $35 Million for Extensive Failures to Safeguard Personal Information of Millions of Customers," September 2022. https://www.sec.gov/news/press-release/2022-168
- UK Information Commissioner's Office. "Brighton and Sussex University Hospitals NHS Trust Monetary Penalty Notice," 2012. https://ico.org.uk/action-weve-taken/enforcement/brighton-and-sussex-university-hospitals-nhs-trust/
- UK Information Commissioner's Office. "NHS Surrey Monetary Penalty Notice," 2013. https://ico.org.uk/action-weve-taken/enforcement/nhs-surrey/
- Blancco Technology Group and Ontrack. "Privacy for Sale: Data Security Risks in the Second-Hand IT Asset Marketplace," 2019. https://www.blancco.com/resources/privacy-for-sale/
- Garfinkel, S. and Shelat, A. "Remembrance of Data Passed: A Study of Disk Sanitization Practices," IEEE Security and Privacy, 2003. https://simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf
- Jones, A., Valli, C., et al. "The 2009 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market," University of Glamorgan. https://pure.uws.ac.uk/en/publications/the-2009-analysis-of-information-remaining-on-disks-offered-for-s
- NIST Special Publication 800-88 Rev. 1: Guidelines for Media Sanitization. https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final
