Morgan Stanley’s Hard Drive Destruction Investment Failure

$155 Million in fines and settlements.
While physical data breaches have declined substantially in the last 10 years, they still can happen without proper diligence. That lack of diligence and vendor oversight has led to a $35M fine for Morgan Stanley from the SEC and a class-action settlement of $60M over the same breach. This is in addition to a $60M fine from the Comptroller of the Currency in 2020. All for improperly decommissioning server hard drives.

SEC investigators found that Morgan Stanley regularly relied on a moving and storage company with no experience in data destruction or decommissioning hard drives to get rid of its hard drives and also failed to monitor what the company was doing. While the moving company agreed to work with a third-party e-waste management company that would have wiped the hard drives, the moving company found it more profitable to sell the equipment, including an inventory of 1,000 hard drives from a redundant array of independent disks, or RAID arrays, plus 8,000 backup tapes.

Morgan Stanley, in July 2020, notified the 15 million affected customers that their data had likely been exposed. It said account names and numbers for Morgan Stanley, and any linked bank accounts were at risk. Social Security numbers, passport numbers, contact information, date of birth, asset value and holdings data also may have been exposed. Affected customers were offered two years of prepaid credit monitoring services.

Data Decommissioning Essentials
Ensuring the proper decommissioning of old hard drives might sound boring, but it’s something IT departments have regularly practiced for years, for obvious reasons. Unless they get reliably destroyed, old hard drives will undoubtedly pop up on eBay, or worse, with stored customer data intact.

So how did Morgan Stanley forget the “destroy your old hard drives” data-decommissioning essential? That’s the question regulators have been asking.

“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” says Gurbir S. Grewal, director of the SEC’s Enforcement Division.

The simple lack of vendor oversight has resulted in $155M in fines and settlements. Even with the changing IT threat landscape, it’s important not to overlook the basics of security and data encryption and destruction. If you have questions about your IT security practices, call ITPAC today.