On Tuesday, Morgan Stanley agreed to pay a $35 million fine to the Securities and Exchange Commission (SEC) for data security violations that included the unencrypted resale of hard drives from shut-down data centres without first wiping them.
The inappropriate disposal of tens of thousands of hard drives, which began in 2016, was part of a “extensive failure” over a five-year period to protect consumer data as required by federal regulations, according to the SEC complaint. When servers at local branches were being decommissioned, the agency claimed that improper hard drive and backup tape disposal was one of the issues. A total of 15 million consumers’ data, according to the SEC, were exposed.
“Amazing mistakes”
Gurbir S. Grewal, director of the SEC’s enforcement division, used the initials MSSB, the company’s complete name, to describe the failings in this case as “astonishing.” Customers trust financial experts with their personal information with the belief that they will protect it, and MSSB grossly failed to do so.
The disaster was mostly caused by the 2016 decision to decommission thousands of hard drives and servers storing the data of millions of customers by using a moving firm that lacked experience or skill in data destruction services.
The moving company also removed over 8,000 backup tapes from one of the Morgan Stanley data centres along with 53 RAID arrays that housed about 1,000 hard drives in total.
An IT expert was initially hired by the unnamed moving firm to erase or delete any sensitive data kept on the drives. The moving company eventually ceased dealing with that specialist and started selling the storage units to a business, which then sold them at auction. Morgan Stanley never investigated the new business or gave it the go-ahead to work as a contractor or subcontractor on the decommissioning project.
More than a year after the decommissioning of the data centre, in 2017, Morgan Stanley officials received an email from an IT consultant in Oklahoma notifying them that data from Morgan Stanley was stored on hard drives he had bought from an online auction site.
“In that email, Consultant warned MSSB that ‘[y]ou are a significant financial institution and should be following some very severe criteria on how to deal with retiring hardware,'” the SEC investigators said in a complaint. acquiring some sort of confirmation of data destruction from the vendors you sell equipment to, or at the very least. In the end, Consultant’s hard drives were repurchased by MSSB.
The SEC action also claimed that despite having the choice, many of the storage devices were not using encryption.
Morgan Stanley consented to the conclusion made on Tuesday that it had broken Regulation S-Safeguards P’s and Disposal Rules without admitting or rejecting the SEC’s allegations, and it also agreed to pay the $35 million fine.
Officials from Morgan Stanley said in a statement, “We are happy to be settling this matter. Regarding these problems, which happened several years ago, we have already informed the relevant clients, and we have not discovered any illegal access to or misuse of confidential client information.