[SIGCIS-Members] computer security booboos: Morgan Stanley Lost Some Hard Drives

Jonathan Coopersmith j-coopersmith at tamu.edu
Tue Sep 20 21:55:11 PDT 2022

If anyone is working on avoidable data security blunders or poor corporate
management, here's a contemporary story of interest complete with SEC links.

Stay sane,


Jonathan Coopersmith
Professor (retired)
Department of History
Texas A&M University
College Station, TX  77843-4236
979.739.4708 (cell)
979.862.4314 (fax)

---------- Forwarded message ---------
From: Jonathan Coopersmith <jonathan.coopersmith at gmail.com>
Date: Tue, Sep 20, 2022 at 11:24 PM
Subject: Fwd: Money Stuff: Morgan Stanley Lost Some Hard Drives
To: COOPERSMITH <j-coopersmith at tamu.edu>

---------- Forwarded message --------- From: Matt Levine <noreply@ mail.
bloombergview. com> Date: Tue, Sep 20, 2022 at 1: 27 PM Subject: Money
Stuff: Morgan Stanley Lost Some Hard Drives To: <jonathan. coopersmith@
gmail. com> ‍ ‍ ‍ ‍ ‍ ‍ ‍
This Message Is From an External Sender
This message came from outside your organization.


---------- Forwarded message ---------
From: Matt Levine <noreply at mail.bloombergview.com>
Date: Tue, Sep 20, 2022 at 1:27 PM
Subject: Money Stuff: Morgan Stanley Lost Some Hard Drives
To: <jonathan.coopersmith at gmail.com>

Well here’s my new financial heist movie script. A big bank has a lot of
computers that keep track of its customers’ accounts. It periodical

[image: Bloomberg]
Don’t throw out your computers

Well here’s my new financial heist movie script. A big bank has a lot of
computers that keep track of its customers’ accounts. It periodically buys
new computers to do a better job of keeping track of those accounts. When
it does that, it hires a moving company to cart away all of the old
computers. The moving company makes a few extra bucks by selling the old
computer hardware to, I don’t know, scrappy small technology businesses
that are happy to have the bank’s slightly outdated hardware. Ideally the
bank, or the moving company, would delete all the data on the computers
first, but that takes time and time is money and sometimes they forget.

So what you do is, you set up a scrappy small tech business as a cover, and
you go to the bank’s moving company’s computer sale and buy all the
computers, and then you turn them on and get all of the bank’s customers’
account information, and then you steal their money. Okay, having written
this all out, I guess it is a boring heist movie, never mind. Still

The Securities and Exchange Commission today announced charges against
Morgan Stanley Smith Barney LLC (MSSB) stemming from the firm’s extensive
failures, over a five-year period, to protect the personal identifying
information, or PII, of approximately 15 million customers. MSSB has agreed
to pay a $35 million penalty to settle the SEC charges.

The SEC’s order finds that, as far back as 2015, MSSB failed to properly
dispose of devices containing its customers’ PII. On multiple occasions,
MSSB hired a moving and storage company with no experience or expertise in
data destruction services to decommission thousands of hard drives and
servers containing the PII of millions of its customers. Moreover,
according to the SEC’s order, over several years, MSSB failed to properly
monitor the moving company’s work. The staff’s investigation found that the
moving company sold to a third party thousands of MSSB devices including
servers and hard drives, some of which contained customer PII, and which
were eventually resold on an internet auction site without removal of such
customer PII. While MSSB recovered some of the devices, which were shown to
contain thousands of pieces of unencrypted customer data, the firm has not
recovered the vast majority of the devices.

Great stuff. If you find a 2016-vintage Morgan Stanley computer on EBay and
crack it open to find customer information, I guess you can … do
… something with that? I don’t know. Here, from the SEC complaint
is what one guy did:

On October 25, 2017, nearly a year after the completion of the 2016 Data
Center Decommissioning, MSSB received an email from an IT consultant in
Oklahoma (“Consultant”). In that email, Consultant informed MSSB that he
had purchased hard drives from an online auction site and that he had
access to MSSB’s data on those devices. In that email, Consultant informed
MSSB that “[y]ou are a major financial institution and should be following
some very stringent guidelines on how to deal with retiring hardware. Or at
the very least getting some kind of verification of data destruction from
the vendors you sell equipment to.” MSSB eventually repurchased the hard
drives in Consultant’s possession.

Somehow the SEC neglects to mention how much Morgan Stanley paid him for
those hard drives. How much would you charge Morgan Stanley for the hard
drives in this situation? I do not want to give you legal advice, and I
think that you would want to get some legal advice before trying this, but
I think if you offered these hard drives to Morgan Stanley for, say,
$100,000 each, they might pay you? Is there a bug bounty program for, you
know, you threw out the wrong hard drive? They paid the SEC $35 million;
there is money in the budget for this sort of thing.

The rest of the complaint is full of suggestive hints at the scale of
Morgan Stanley’s after-the-fact garbage hunt:

In late 2017, MSSB launched an investigation into the disposition of the
devices that were part of the 2016 Data Center Decommissioning project and
determined that Moving Company had also delivered the 8,000 back-up tapes
removed from one of the data centers to IT Corp B. MSSB emailed IT Corp B
on January 19, 2018 asking whether IT Corp B could “confirm the disposition
of …3k lbs of tapes.” IT Corp B responded: “I can confirm that we did send
this load of tapes for secure waste to energy incineration. Although that
lot # is not the lot # we used. They were processed ‘Confidential Material’
in June of 2016.” MSSB’s basis for believing that these tapes were in fact
destroyed without any unauthorized access to customer PII and consumer
report information hinges on this email. MSSB has no other verification or
5 documentation that these tapes were destroyed.

In June 2021, MSSB obtained another fourteen of the missing hard drives
from a downstream purchaser. Based on forensic analysis of these hard
drives, thirteen of the devices contained a total of at least 140,000
pieces of customer PII. The vast majority of the hard drives from the 2016
Data Center Decommissioning remain missing. …

MSSB has identified an international shipping project that may have
involved Moving Company. MSSB can state only that “documents suggest” that
Moving Company transported 18-36 unspecified devices to a storage location
in New York City. It was contemplated that those devices would be shipped
internationally to Europe, potentially by Moving Company.

Possibly thousands of ancient Morgan Stanley storage devices, all over the
globe, possibly full of customer data, possibly useful for nefarious
purposes. Probably not; there is no suggestion that anyone did anything at
all nefarious with any of these things, and also not much suggestion that
you *could *do anything particularly bad. (You’re not supposed to hand out
customers’ “personal identifying information” to random hackers, but
there’s no suggestion that it was, like, account passwords.)

In recent years it has been popular for investment bank executives to say
that they were becoming tech companies: They were hiring developers,
building apps, talking about big data. This is a good thing to say, I
suppose, insofar as being a tech company means that you can make large
profits without putting too much of your own balance sheet at risk, that
you can scale rapidly, that you can compete with Silicon Valley for

But there is also an old-school understanding of investment banking in
which it is a business of implicit knowledge, of personal connections, that
the value that a good banker can add can’t be reduced to an algorithm.
There is a tension there. If banks are tech companies then they will invest
in good consistent electronic communication tools that create good
searchable records. If banking is a business of personal connections, then
bankers will ignore those tools and text clients on their personal cell
phones because *that feels more personal*. Morgan Stanley got fined $200
million for that
this summer. You are supposed to use the official communication tools.

Similarly, if banking is a business of implicit knowledge, go ahead and
throw out the old hard drives; what’s important is the knowledge in the
hearts and minds of the bankers. If banking is a data business, you should
probably wipe the hard drives before you throw them out.



A special purpose acquisition company is a gamble by its sponsors. The way
a SPAC works is that the sponsors — often a private equity firm, but
sometimes just a handful of rich individuals — spend a few million dollars
of their own money to pay some startup costs for the SPAC. These fees pay
for underwriters, lawyers, accountants, registration fees, etc. And then
the SPAC raises a few hundred million dollars from public investors, and
the sponsors have two years to find a company to take public with that
money. If they find a target, and the public investors approve the deal,
the sponsors generally get rich. In rough numbers they get shares of the
target company worth about 25% of the hundreds of millions of dollars that
they raised from the public. Their early investment of a few million
dollars can turn into hundreds of millions of dollars of public-company
stock. (Generally if they find a deal the SPAC’s sponsors will invest more
of their own money, so it’s not quite this lucrative, but that is the
essential nature of the gamble.) It is helpful if they find a *good *target
and the stock goes up, but the main thing is that if they do a deal at all
they get amply paid. If they don’t, they give the public investors their
money back and lose their startup investment.

The payoff there is incredibly asymmetric, and so for a while in 2020 and
early 2021 everyone with a reputation and a few million dollars to spare
piled into the SPAC business. “You and some buddies put up $500,000 each
and then you get back $20 million each” was a not entirely inaccurate pitch
for sponsoring a SPAC. This led to a SPAC glut: There were more SPACs than
good deals, the market got pickier, and now it is 2022 and a lot of SPACs
look likely to reach their two-year deadline without a deal. Their sponsors
will lose their wagers.

The King of SPACs was (is?) Chamath Palihapitiya, the founder of Social
Capital. He was early to the boom: He launched a SPAC with the clunky name
Social Capital Hedosophia Holdings Corp., and the punchy ticker IPOA, [1]
<#m_-3014946201454850045_m_-7458718612399322454_footnote-1> back in 2017.
IPOA raised $600 million
and used it to do a merger with space company Virgin Galactic Holdings
Inc.; Social Capital started by putting about $12 million into the SPAC to
cover startup costs, and ended up with hundreds of millions of dollars of
stock. (Palihapitiya cashed in
$315 million worth earlier this year.) Virgin closed yesterday at $5.29,
down about 47% from the $10 price at which IPOA raised money, so if you
were in this SPAC from the beginning it was not exactly a *good *deal. But
it was *a *deal, and Palihapitiya made a lot of money from it.

Also to be fair for a while it looked like a good deal — Virgin closed as
high as $59.41 last February — and Palihapitiya used that success to raise
more and bigger SPACs. IPOB, IPOC, IPOD, IPOE, IPOF, etc. [2]
<#m_-3014946201454850045_m_-7458718612399322454_footnote-2>; IPOF — Social
Capital Hedosophia Holdings Corp. VI — raised $1.15 billion
in October 2020. The sponsor — Social Capital, Palihapitiya’s firm — put
about $22 million into that one for startup costs. If it had closed a deal,
it would have paid off hundreds of millions of dollars. It did not.
Palihapitiya announced today on his Substack

Today, we started the process of winding down IPOD and IPOF.

This means that the funds raised by IPOD and IPOF will be returned to their
respective shareholders. Over the past two years, we evaluated more than
100 targets and while we came close to doing a deal several times, we
ultimately walked away each time for a couple of reasons:

Valuation. A combination of factors made it very difficult to find a
company at a reasonable valuation and margin of safety. Ultimately, to get
a deal done would have required us stretching on price or buying an
inferior asset – neither were things we felt comfortable doing.

Volatility. We saw resistance from management teams who either weren’t
prepared for or didn’t want to face the public markets in the face of
current volatility.

I cannot fault this. Each time he launched a SPAC, Palihapitiya bet $20
million-ish to win $300 million-ish. The bets kept paying off, so he kept
playing. If all of those bets had paid off — if he had launched only SPACs
that actually ended up finding deals — then that would have been way too
conservative. These were very high expected value bets, so he made a lot of
them. Some of them didn’t work out, but all in all he did great

The founder and CEO of Social Capital Holdings Inc. said in an interview
that the company has made about $750 million in SPACs, roughly doubling its
money. The gains come from the six deals it completed such as SoFi. SPAC
creators are protected from big losses through lucrative incentives. Social
Capital creates its SPACs by partnering with other investment firms.

Bloomberg reported in August

All five of his SPACs that merged with acquisition targets are now trading
well below their starting price of $10. Some, like Virgin Galactic Holdings
Inc., are down more than 25%. Taken from its peak price, back in February
2021, when Palihapitiya was tweeting things like “trust the process” with a
screenshot of his SPAC returns, the stock is down 88%.

Palihapitiya was for a time an advocate for SPACs as a way to democratize
initial public offerings and bring disruptive new companies to the markets
— “IPO 2.0
he called it — and I suppose you could quibble with the results there. But
as a feat of market timing it is hard to argue with his track record.

A special purpose acquisition company is a gamble by its sponsors, etc. The
payoff is incredibly asymmetric, and so for a while in late 2020 and early
2021 everyone with a reputation and a few million dollars to spare piled
into the SPAC business. This included a lot of random rich people who saw
their friends making money and wanted in on the action. And then there was
a SPAC glut, deals got scarce, and some number of SPAC sponsors are going
to lose their wagers. We have talked about this before
and I confess that I find it kind of funny: Late-in-the-boom SPACs are the
rare financial innovation that worked out fine for ordinary investors (who
get their money back with interest) but fleeced rich well-connected

One weird result of this is that if you are a late-in-the-boom SPAC sponsor
you are probably rich but maybe not *that *rich, and while the payoff of a
SPAC is very asymmetric, (1) it looks increasingly distant and (2) you
don’t want to throw good money after bad. And SPACs have pretty thin
balance sheets given their potential riches. So we have talked recently
about Digital World Acquisition Corp., the $293 million SPAC that has
signed a deal to take Trump Media & Technology Group public. DWAC’s
sponsors put up about $11.3 million to start the SPAC, and if the deal
closes their stake could be worth
$165 million. But the deal is still in limbo, due mostly to the US
Securities and Exchange Commission’s review of the proxy statement for the
merger, and the sponsors had to put up another $2.9 million for a
three-month extension, and they waited until the absolute last minute to do
that. On the one hand betting $2.9 million to win $165 million seems like a
good deal. On the other hand the odds aren’t great, money might be a bit
tight, and every penny comes out of the sponsors’ own pockets.

Anyway this made me laugh

Executives behind a blank-cheque company that plans to take Donald Trump’s
media business public have failed to pay their proxy solicitors even as
they struggle to drum up support for an extension to complete the deal.

Digital World Acquisition Corporation, a special purpose acquisition
company set up by Patrick Orlando, has not paid Saratoga Proxy Consulting
for its work helping to rally shareholders, according to people familiar
with the situation.

DWAC owes the New York-based firm a six-figure sum but Orlando has informed
it that there is no money to pay the bill, one of the people said. On
Friday, the company announced that it had brought on a new proxy solicitor,
Alliance Advisors. …

Despite an aggressive campaign by Orlando to reach DWAC’s base of retail
investors, just over 40 per cent have voted in favour of the extension as
of this week, according to a source familiar with the count. The company
requires 65 per cent of shareholders to approve extending the deadline at
its meeting on October 10.

Retail investors are notoriously difficult to reach and companies can often
end up spending millions of dollars soliciting their votes.

Yeah I mean on the one hand you really do want those votes; spending a few
million dollars on proxy soliciting to make $165 million feels like a good
deal. On the other hand:

   1. Even if you can drum up the retail votes for the extension, there is
   no guarantee of the deal actually closing;
   2. That proxy-solicitor money comes out of your own pocket; and
   3. Given that they only got 40% of the shareholders to vote, it’s not
   totally clear that Saratoga exactly earned its fees.

In other DWAC news, its PIPE — the $1 billion private investment in public
it raised from some investors late last year — is due to expire today. The
New York Times reported last week

Representatives for several investors in the PIPE agreement, all of whom
declined to be identified because the deal is still pending, said they had
not decided what to do if the agreement expired, but at least a few were
ambivalent about remaining in the deal.

The investor representatives said neither Digital World nor E.F. Hutton,
the investment bank that arranged the financing, had offered any guidance.
One investor responded to a question about the status of the financing deal
with an emoji of a person shrugging.

We have talked about that PIPE before, and it seems like an unbelievably
good deal
for its investors, if the deal ever closes. If the deal doesn’t close then
it costs those investors nothing but the time and aggravation of dealing
with DWAC and Trump Media & Technology Group. Which is maybe too much to
pay, given the current odds.
IPO 1.0

Here’s a story about Instacart Inc.’s planned initial public offering

In meetings with prospective investors in recent weeks, Instacart
executives said they didn’t plan to issue many new shares in their IPO, the
people said. The sale of mostly employee shares would allow Instacart’s
staff, including some of its earliest hires, to at last cash out of some of
the shares they have been accumulating. …

While Instacart will sell a small percentage of new shares, the bulk of its
offering will come from employee shares that will be sold directly to new
investors at an agreed-upon price ahead of a stock-market debut. Details of
the listing could change depending on market conditions and other factors.

Instacart had previously leaned toward going public through a direct
listing, The Wall Street Journal previously reported.

In a direct listing, a company’s shares simply start trading on an exchange
on a set day. There is a reference price for where trading could start, but
no shares are sold in advance at that price. Existing shareholders can sell
their shares, but companies don’t raise any cash by going public.

Yeah two years ago this would have been a direct listing. “Your employees
can just sell stock on the stock exchange without a big coordinated
process; they’ll get the market-clearing price rather than having to sell
at a discount so big institutions can get an IPO pop.” Now it’s a normal

One possible story here is that direct listings and SPACs are solutions to
the bull-market problem that IPOs mostly go up
If you price an IPO at $20 and the stock trades up to $30 in a day, you
“left money on the table.” If every week 10 companies price IPOs that trade
up 50%, and you want to go public, you will start thinking about ways to
avoid leaving money on the table. Selling stock in a direct listing — where
you get the market-clearing price in an auction, not a price negotiated
with your underwriters based on stated demand from big institutions — is a
way to do that. A SPAC is not
particularly, but it was marketed that way anyway.

But when the stock market is down and volatility is up, SPACs and direct
listings are less appealing. The IPO pop — the propensity of most IPOs to
trade up on the first day — pays for certainty. “We bring you IPOs every
week and they usually go up,” banks implicitly say to their investor
clients, “so if you like that service we expect you to buy the IPOs that
don’t go up too.” If you sell stock in a direct listing, nobody has to buy
it. If you sell stock in an IPO, they … well, nobody *has *to buy it, but
it is encouraged. [3]
<#m_-3014946201454850045_m_-7458718612399322454_footnote-3> In a down
market you don’t have to worry about the problem of IPOs going up too much;
you have to worry about actually getting your money. The IPO might be a
better way of doing that than the alternatives.
It’s fun to have fun

Aww this is sweet

Amid the wreckage of the great bond-market bust of 2022, there is a silver
lining for some: Traders in the trenches of the $24 trillion Treasury
market say it’s finally exciting again. ...

Of course in finance, the levels of excitement is usually tightly
correlated with the amount of money being made. So it’s no surprise the two
are rising in tandem. Trading revenues have boomed for the major US banks
with a strong presence in US rates markets. At Citadel Securities, an
important provider of prices in the Treasury market, this year’s turbulence
led to a record $4.2 billion in first-half net trading revenue.

“We are right in the sweet spot of rates really being an interesting
market, with clients being excited to trade,” said Paul Hamill, head of
global fixed income, currencies and commodities distribution at Citadel
Securities. “Everyone is spending all day talking to clients and talking to
each other. It’s been fun.”

I recommend taking that quote as literally as possible. The head of fixed
income at Citadel Securities is like “oh I get to talk to my friends all
day, it’s so fun.” How nice for him.

We have spent years around here talking about how people were worried about
bond market liquidity: People who wanted to buy and sell bonds had a hard
time doing it, because banks and other market makers were not willing to
commit a lot of capital. This worry was often expressed as a hypothetical:
Sure, things look fine now because the market is quiet, but in times of
volatility the lack of liquidity will be a problem. But of course times of
volatility are when market makers can make a lot of money. Which makes them
more willing to commit capital, because they are having fun.
Things happen

Wall Street’s Mysterious 2,200% IPOs
Come From Tiny N.J. Broker. Porsche
Investor Demand Exceeds $9.4 Billion Offering in Hours. Calpers admits ignoring
private equity
boom cost up to $18bn of gains. Judge Rejects Antitrust Challenge
to UnitedHealth Acquisition. Private Oil Drillers
Are Hitting Their Limits. Goldman Sachs hunts new revenues in EU
transaction banking
push. House Republicans Plan to Investigate Chamber of Commerce
If They Take the Majority. Do MBAs
Want To Be Billionaires? Beyond Meat COO Arrested for Biting Man’s Nose
After College Football Game.

*If you'd like to get Money Stuff in handy email form, right in your inbox,
please subscribe at this link
Or you can subscribe to Money Stuff and other great Bloomberg newsletters

[1] Like, “initial public offering,” with “A” because it was the first of a

[2] Also some Social Capital Suvretta Holdings Corp. SPACs under the
tickers DNAA, DNAB, DNAC, etc., for biotech investing.

[3] With SPACs, meanwhile, you get certainty of price but not of proceeds:
If SPAC investors don’t like a deal, they can withdraw their money, and
post-boom SPAC deals often involve very high redemption rates
If you are a private company that wants to raise $300 million, merging with
a $300 million SPAC might leave you with only $15 million, which is not
great. If you do an IPO you might get a worse price, but you have better
odds of getting the money.
Follow Us
the newsletter

*Like getting this newsletter? Subscribe to Bloomberg.com
for unlimited access to trusted, data-driven journalism and subscriber-only

*Before it’s here, it’s on the Bloomberg Terminal. Find out more about how
the Terminal delivers information and analysis that financial professionals
can’t find anywhere else. Learn more
You received this message because you are subscribed to Bloomberg's Money
Stuff newsletter.
| Bloomberg.com
| Contact Us
[image: Ads Powered By Liveintent]
[image: Ad Choices]
Bloomberg L.P. 731 Lexington, New York, NY, 10022

Stay sane,


Jonathan Coopersmith
College Station, Texas and Washington, DC

America's dangerous stab-in-the-back myth:


Racial disparities of waiting to vote:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sigcis.org/pipermail/members-sigcis.org/attachments/20220921/cc4ed434/attachment.htm>

More information about the Members mailing list