Morgan Stanley agreed on Tuesday to pay a $35 million fine to the Securities and Exchange Commission (SEC) over data breaches that involved unencrypted hard drives from decommissioned data centers being resold at auctions without first being deleted.
The SEC action said the improper disposal of thousands of hard drives beginning in 2016 was part of a “broad failure” over a five-year period to protect customer data as required by federal regulations. The agency said the failures also included the improper disposal of hard drives and backup tapes when decommissioning servers at local offices. In all, the SEC said data on 15 million customers was exposed.
“MSSB’s failures in this case are astonishing” said Gurbir S. Grewal, the SEC’s director of enforcement, uses the initials Morgan Stanley Smith Barney, the firm’s full name. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short of that.”
Much of the failure was due to the hiring of a moving company in 2016 with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing millions of customer data. The moving company obtained 53 RAID arrays, which together contained about 1,000 hard drives, and removed about 8,000 backup tapes from one of Morgan Stanley’s data centers.
The unnamed shipping company initially contracted with an IT specialist to remove or destroy sensitive data stored on the drives. In the end, the transport company stopped working with this specialist and started selling storage units to the company, which in turn sold them at auction. The new company was never vetted by Morgan Stanley or approved as a contractor or subcontractor on a decommissioning project.
In 2017, more than a year after the data center was pulled, Morgan Stanley officials received an email from an Oklahoma IT consultant saying that hard drives he had purchased at an online auction contained Morgan Stanley data.
U complaintSEC officials wrote: “In this email, the consultant told MSSB that ‘[y]You are a large financial institution and must follow some very strict guidelines on how to handle retiring equipment. Or at least get some kind of confirmation of data destruction from the vendors you sell the equipment to.” MSSB eventually bought back the hard drives that were in the consultant’s possession.’
The SEC action also said many storage devices did not have encryption enabled, even though the option existed. Even after the investment firm started using encryption options in 2018, only new data written to the drives was protected. In some cases, the data was still not encrypted properly due to a flaw in the unspecified vendor’s product.
Without admitting or denying the SEC’s claims, Morgan Stanley agreed to a finding on Tuesday that it violated safety and disposal rules under Regulation SP and agreed to pay a $35 million fine.
In a statement, Morgan Stanley wrote: “We are pleased to resolve this matter. We previously notified the relevant customers of these issues, which occurred several years ago, and have not detected any unauthorized access to or misuse of customer personal information.”