Morgan Stanley agreed to pay the Securities and Exchange Commission (SEC) a $35 million fine for data security breaches, including unencrypted hard drives from decommissioned data centers that were resold on auction sites without being erased first.
The SEC’s action said the improper disposal of thousands of hard drives as of 2016 was part of an “extensive outage” over a five-year period to protect customer data, as required by federal regulations. The agency said the errors also included improperly removing hard drives and backup tapes when decommissioning servers at local branches. In all, the SEC said data from 15 million customers had been exposed.
“Amazing Failures”
“MSSB’s failures in this case are astonishing,” said Gurbir S. Grewal, director of the SEC’s enforcement division, using the initials for Morgan Stanley Smith Barney, the company’s full name. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB has failed miserably in this regard.”
Much of the failure stemmed from hiring a removal company in 2016 with no experience or expertise in data destruction services to dismantle thousands of hard drives and servers containing millions of customers’ data. The moving company received 53 RAID arrays containing about 1,000 hard drives, and it also removed about 8,000 backup tapes from one of its Morgan Stanley data centers.
The unnamed moving company initially contracted an IT specialist to erase or destroy all sensitive data on the drives. Eventually, the moving company discontinued that specialist and began selling the storage devices to a company, which in turn sold them at auction. The new company was never vetted or approved by Morgan Stanley as a contractor or subcontractor in the decommissioning project.
In 2017, more than a year after the data center was decommissioned, Morgan Stanley officials received an email from an IT consultant in Oklahoma stating that the hard drives he bought from an online auction site contained Morgan Stanley data. .
In a complaint, SEC officials wrote, “In that email, Consultant MSSB informed that ‘[y]You are a large financial institution and should follow some very strict guidelines on how to deal with depreciated hardware. Or at the very least get some sort of data destruction verification from the suppliers you sell equipment to.” MSSB eventually bought back the hard drives that Consultant owned.”
The SEC action also said many of the storage devices did not have encryption enabled, although the option existed. Even after the investment firm started using encryption options in 2018, only new data written to the drives was protected. In some cases, data was still not properly encrypted due to an error in an unidentified vendor’s product.
Without admitting or denying the SEC’s claims, Morgan Stanley agreed to Tuesday’s finding that it violated the Safeguards and Disposal Rules under Regulation SP and agreed to pay the $35 million fine.
In a statement, Morgan Stanley officials wrote: “We are pleased to resolve this matter. We have previously notified relevant customers of these matters, which occurred several years ago, and have not discovered any unauthorized access or misuse of personal customer information.”