In recent years, the risks tied to IT Asset Disposal have become impossible to ignore. Even large financial institutions have faced heavy fines and reputational damage for failing to handle their retired IT equipment properly. One of the most notable examples is Morgan Stanley, which was fined more than USD 163 million after regulators found serious lapses in how it disposed of old servers and devices.

For businesses in Singapore, this highlights a simple truth: IT Asset Disposal is not just about clearing out old equipment. It is about protecting sensitive data, complying with regulations, and safeguarding your reputation.

The Morgan Stanley IT Asset Disposal Case

Between 2015 and 2017, Morgan Stanley decommissioned two data centers in the United States. Instead of engaging a certified IT Asset Disposal provider, it hired a moving and storage company with no expertise in secure data destruction. The result was severe. Servers and hard drives containing customer data were sold to third parties without being wiped. Some of these devices were later resold online.

Regulators acted quickly. In 2020, the U.S. Office of the Comptroller of the Currency fined the bank USD 60 million for oversight failures. Two years later, the U.S. Securities and Exchange Commission added another USD 35 million penalty, stating that the bank had not properly safeguarded the personal data of about 15 million customers. In the same year, Morgan Stanley also settled a class-action lawsuit for more than USD 60 million with affected customers.

Morgan Stanley also faced a USD 6.5 million settlement with six U.S. states led by New York Attorney General Letitia James. The bank was accused of failing to properly decommission equipment and protect the unencrypted data of 1.1 million New Yorkers. Equipment containing private information had been sold at auction, and in another incident, 42 servers went missing. The settlement required Morgan Stanley to adopt stronger cybersecurity measures, including encryption of all personal data, formal incident response planning, and stricter vendor controls.

In total, the mishandling of retired IT assets have cost the bank hundred of millions of dollars, not including reputational damage. Regulators noted that Morgan Stanley failed to vet its vendor, did not maintain proper oversight, and could not account for all devices containing sensitive customer data.

This case shows that even a global institution with vast resources is not immune to the consequences of poor IT asset management. For smaller businesses, the outcome of a similar mistake could be devastating.

Legal Issues of Other Finance Companies

Morgan Stanley is not the only major financial institution facing regulatory penalties for lapses in compliance and oversight.

Goldman Sachs: In 2023, Goldman Sachs agreed to pay USD 6 million to the SEC for failing to provide accurate and complete data in its electronic blue sheet submissions. Over a period of ten years, the bank made more than 22,000 inadequate submissions, covering 163 million transactions with 43 different types of errors. The SEC found that Goldman did not have adequate processes to verify its reporting systems.
Washington Trust Bancorp: The Washington Trust Company, a subsidiary of Washington Trust Bancorp, settled with the U.S. Department of Justice for alleged violations of fair lending laws in Rhode Island between 2016 and 2021. As part of the settlement, Washington Trust agreed to provide USD 7 million in mortgage subsidies and USD 2 million in community outreach efforts. While no civil monetary penalties were imposed, the settlement underscores the importance of regulatory compliance and accountability in the financial industry.

These examples show that regulators are not hesitating to act against companies that fail to meet their obligations. Whether it is customer data protection, reporting accuracy, or fair lending practices, the consequences of cutting corners can be costly.

Why Businesses in Singapore Should Pay Attention

Every company here, from large corporations to SMEs, deals with IT equipment at the end of its lifecycle. The temptation is often to sell old devices to whoever offers the highest price or to hand them over to informal collectors. While that may seem convenient, it leaves businesses exposed to major risks:

Data breaches: Residual data can remain on devices even after files are deleted or factory resets are performed.
Regulatory penalties: Under Singapore’s PDPA, companies face fines of up to SGD 1 million if personal data is compromised.
Reputation damage: Customers are rarely forgiving when their information is leaked, and rebuilding trust can take years.

Morgan Stanley could absorb the financial blow. Many Singapore businesses would not survive the financial and reputational impact of a similar failure.

What Proper IT Asset Disposal Process Looks Like

A certified ITAD provider ensures that assets are handled securely and responsibly. A proper process should include:

Secure collection and transport with full chain-of-custody tracking.
Certified erasure or destruction using standards such as NIST 800-88, degaussing, or shredding.
Audit trails and certificates that prove data has been permanently destroyed.
Responsible recycling or resale to ensure equipment is either reused or broken down in line with environmental standards.

This level of assurance cannot be provided by an informal buyer. Proper IT Asset Disposal is about reducing risk while staying compliant and protecting customer trust.

IT Asset Disposal

The Smarter Way Forward

At Arkiva, we combine data security with value recovery. Our IT Asset Disposal services include:

Tamper-proof certificates of destruction that are audit-ready.
Flexible destruction options carried out on-site or off-site.
Buyback programs so companies can safely recover value from their old devices.

This approach ensures that businesses remain secure, compliant, and able to make the most of their retired IT assets.

The Morgan Stanley case is a warning for every businesses. Improper IT Asset Disposal is not a minor oversight. It is a costly liability.

In Singapore, where data protection laws are clear and penalties are strict, companies cannot afford to take shortcuts. Whether you are a large enterprise or an SME, the choice is straightforward. Either risk your future by cutting corners, or protect it by working with a certified IT Asset Disposal provider.

Your old IT assets may no longer serve your business, but if handled carelessly, they can still put your company at risk. The safe choice is also the smarter one. Reach out to our consultants at Arkiva and we will be more than happy to help.