Sold to highest bidder –
“Amazing Failure” for 5 years.
Dan Goodin –
Getty Images society
Morgan Stanley agreed on Tuesday to file a petition with the U.S. Securities and Exchange Commission (SEC). ) to pay $35 million in fines for data security breaches that included unencrypted hard drives from decommissioned data centers resold on auction sites without first being purged.
SEC action signifies crackdown on thousands of hard drives beginning in 2016 The mishandling was part of a “widespread failure” to protect customer data as required by federal regulations over a five-year period. The agency said the failure also included the mishandling of hard drives and backup tapes when decommissioning servers at the local branch. In total, the SEC said the data of 15 million customers was compromised.
“Shocking Failure”
“The failure of the MSSB in this situation is appalling,” Gurbir S. Director, SEC Enforcement Division Grewal uses Morgan Stanley Smith Barney’s acronym, the firm’s full name. “Customers entrust their personal information to financial professionals with the understanding and expectation that this information will be protected, and MSSB has done a terrible job of doing this.”
Most of the failures stemmed from hiring a moving company with no experience or expertise in data destruction services in 2016 to decommission thousands of Data hard drives and servers for millions of customers. The moving company received 53 RAID arrays containing about 1,000 hard drives in total, and it removed about 8,000 backup tapes from one of Morgan Stanley’s data centers.
The unnamed moving company originally signed with an IT specialist contract to wipe or destroy any sensitive data stored on the drive. Eventually, the moving company stopped working with the specialist and started selling the storage equipment to a company, which in turn sold them at auction. The new company has never been vetted by Morgan Stanley and has never been approved as a contractor or subcontractor for decommissioning projects.
In 2017, more than a year after decommissioning the data center, Morgan Danley officials received an email from an IT consultant in Oklahoma informing them that a hard drive he bought from an online auction site contained Morgan Stanley data.
SEC officials wrote in the complaint: “In that email , the consultant informs the MSSB that ‘[you] are a major financial institution and should follow some very strict guidelines on how to deal with decommissioned hardware. Or at least get some sort of data breach verification from the vendor you sell the equipment from. MSSB The hard drives owned by the advisors were eventually repurchased.”
SEC action also Says many storage devices don’t have encryption turned on, despite having this option. Even after the investment firm started using encryption options in 2018, only new data written to disk is protected. In some cases, data was still not properly encrypted due to flaws in unidentified vendor products.
in non-admission or denial of SEC claim Morgan Stanley agreed with Tuesday’s ruling that it violated safeguards and disposition rules under the SP Regulation and agreed to pay a $35 million fine.
Morgan Stanley officials in a statement “We are pleased to have resolved this issue. We have previously notified applicable customers of these matters that occurred several years ago and have not been aware of any unauthorized access or misuse of personal customer information,” it wrote.
