Morgan Stanley on Tuesday agreed to pay a $35 million fine to the Securities and Exchange Commission for data security flaws that involved unencrypted hard drives from decommissioned data centers that are being resold at auction sites without being wiped first.
The SEC said the improper disposal of thousands of hard drives beginning in 2016 was part of a five-year “total failure” to protect customer data as required by federal regulations. The agency said the failures also included improper disposal of hard drives and backup tapes when servers in local branches were shut down. In all, the SEC said the data of 15 million customers has been disclosed.
“The failures of MSSB in this case are amazing,” said Grewal, director of enforcement at the SEC, using the initials of Morgan Stanley Smith Barney, the company’s full name. “Customers entrust their personal information to financial professionals on the understanding and expectation that it will be protected, and MSSB has tragically failed to do so.”
Much of the failure stemmed from hiring a carrier in 2016 that had no experience or expertise in data destruction services to shut down the thousands of hard drives and servers containing the data of millions of customers. The moving company received 53 RAID arrays that collectively contain nearly 1,000 hard drives, and removed about 8,000 backup tapes from one of Morgan Stanley’s data centers.
The unnamed moving company initially contracted with an IT professional to erase or destroy any sensitive data stored on the drives. Eventually, the moving company stopped working with this specialist and began selling storage devices to a company that, in turn, sold them at auction. The new company has not been vetted by or approved by Morgan Stanley as a contractor or subcontractor on the decommissioning project.
In 2017, more than a year after shutting down the data center, Morgan Stanley officials received an email from an Oklahoma IT consultant, telling them that hard drives he had purchased from an online auction site contained Morgan Stanley data.
In a complaint, SEC officials wrote, “In this email, counsel informs MSSB that”[y]You are a large financial institution and must follow some very strict guidelines on how to handle retired hardware. Or at least get some sort of data destruction verification from the vendors you sell the equipment to. In the end, MSSB repurchased the hard drives in the consultant’s possession.”
The SEC action also said that many storage devices did not have encryption turned on, even though the option was there. Even after the investment firm began using encryption options in 2018, only new data written to disks was protected. In some cases, the data is still not properly encrypted due to a defect in an unknown seller’s product.
Without acknowledging or denying the SEC’s allegations, Morgan Stanley agreed to Tuesday’s finding that it had violated the rules of safeguards and disposals under SP regulation and agreed to pay a $35 million fine.
Morgan Stanley officials wrote in a statement, “We are pleased to resolve this matter. We have previously notified relevant customers about these matters, which occurred several years ago, and have not detected any unauthorized access to or misuse of customer personal information.”