Updated 2022-09-25: Morgan Stanley settles after customer data auctioned
You couldn’t make this up: banking giant Morgan Stanley settled charges with the SEC this week for “astonishing failures” over a five-year span, reports Ars Technica. The SEC says Morgan Stanley failed to properly wipe decommissioned hard drives packed with customer data, which ended up flogged for resale on internet auction sites. You know, like eBay. Morgan Stanley will pay $35 million to settle the charges that exposed millions of customers’ personal information. Breathtakingly negligent.
Updated 2022-09-21: Morgan Stanley settles after customer data auctioned
You couldn’t make this up: banking giant Morgan Stanley settled charges with the SEC this week for “astonishing failures” over a five-year span, reports Ars Technica. The SEC says Morgan Stanley failed to properly wipe decommissioned hard drives packed with customer data, which ended up flogged for resale on internet auction sites. You know, like eBay. Morgan Stanley will pay $35 million to settle the charges that exposed millions of customers’ personal information. Breathtakingly negligent.
Updated 2022-09-20: Morgan Stanley Fined Over Inadequate Data Protection
Morgan Stanley has agreed to pay $35 million to settle US Securities and Exchange Commission (SEC) charges that it failed “to protect its customer records and information, including personal identifying information (“PII”), and properly dispose of consumer report information.” The charges stem from the company’s decommissioning two data centers, which resulted in unscrubbed devices from the data centers being sold to third parties, and inadequately protecting customer data on decommissioned servers from local offices.
Note
- It would have cost Morgan Stanley much less than $35M to make sure themselves that the devices were wiped, or at least to check up on the moving company (who had never done this type of thing before) rather than just checking the box.
- Make sure you have media sanitization policies for any media being released or reused to ensure there is no information which exceeds the need to know for the new owners. Even cloud or outsourced services should have clear information disposition processes which you can verify.
- Device level encryption is useful during the time the device is in use and will reduce the cost of secure disposal.
Read more in
- $35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned
- Morgan Stanley’s Hard Drive Destruction Investment Failure
- Complaint (PDF)
Overview
US banking giant has agreed to pay a $35 million fine to the US Securities and Exchange Commission after the bank admitted to having failed to monitor and ensure that server and hard drive decommission operations were being carried out correctly. According to the SEC’s investigation, the US bank used a third-party contractor to dispose of its old equipment during a hardware refresh program but failed to notice that this company had resold old its old gear to another company that then put it up for an online auction. SEC officials said that some of the devices sold through this auction still contained unencrypted customer data and that the bank should have made sure the equipment was either destroyed or wiped to ensure its users’ privacy was not put in danger. Read more: Morgan Stanley Smith Barney to Pay $35 Million for Extensive Failures to Safeguard Personal Information of Millions of Customers
