Morgan Stanley fined millions for not encrypting hardware

Data Breach
(Image credit: Shutterstock)

Morgan Stanley has settled with the US Securities and Exchange Commission (SEC) over claims that the financial services corporation failed to properly protect customer-sensitive data

As part of the settlement, the company will pay $35 million, but will not admit to being guilty, or deny the findings of the SEC.

The SEC found Morgan Stanley failed to protect customer data by poorly handling the decommissioning of some of its storage units. This included apparently hiring a moving and storage company “with no experience or expertise in data destruction services” to decommission thousands of hard disk drives (HDD) and servers, which were carrying unencrypted personally identifiable information on millions of Morgan Stanley clients, as far back as 2015.

Losing servers

The company, instead of properly disposing of the sensitive hardware, allegedly sold them to a third party which, finally, sold them on an internet auction. 

What’s more, the moving company managed to lose 42 servers. 

"Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so," said Gurbir S. Grewal, Director of the SEC's Enforcement Division. 

"If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today's action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data." 

Data center commissioning is an entire industry, with businesses developing entire processes to make sure old and outdated storage units get disposed of properly, without leaking sensitive data to third parties. 

Over the past decade, data has become an extremely valuable asset, which prompted governments, privacy advocates, and various non-profits to pay closer attention to how major tech companies gather, store, and share, customer information.

Via: Tom's Hardware

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.