Morgan Stanley fined $35M: Unencrypted and Unwiped Hard Drives Auctioned

Image by Bruno /Germany from Pixabay

This is ugly, sloppy and overall very unacceptable behavior for a company the size and caliber of Morgan Stanley:

Morgan Stanley on Tuesday agreed to pay the Securities and Exchange Commission (SEC) a $35 million penalty for data security lapses that included unencrypted hard drives from decommissioned data centers being resold on auction sites without first being wiped.

Much of the failure stemmed from the 2016 hire of a moving company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the data of millions of customers. The moving company received 53 RAID arrays that collectively contained roughly 1,000 hard drives, and it also removed about 8,000 backup tapes from one of the Morgan Stanley data centers.

The unnamed moving company initially contracted with an IT specialist to wipe or destroy any sensitive data stored on the drives. Eventually, the moving company stopped working with that specialist and began selling the storage devices to a company that in turn sold them at auction. The new company was never vetted by Morgan Stanley or approved as a contractor or subcontractor in the decommissioning project.

While it is not unusual to hire a contractor remove decommissioned IT equipment, I would have thought Morgan Stanley being as large as they are would have their own in-house asset recovery. Even if they don’t, they should already have an existing active contract with a company who handles Secure IT-Asset Disposition not placing the responsibility on a ‘moving company’ with “no experience or expertise in data destruction services”. The grocery chain where I worked, we handled 99% of anything IT revelated in-house. The 1% we contracted out included refurbishing register tills (we were unable to accommodate the high quantities and equipment needed to bulk clean these) and receipt printers (high failure rate due to coins, paperclips, liquids being dropped inside). For those items we determined it would be better (time and money( to contract out to a 3rd party company to service these. However, there was no sensitive customer/store data associated with these items.

Whenever a store, office, data center, etc. closed or was converted a moving/freight company was hired only for the purpose of transporting the equipment back to our asset recovery facility. Once received, the equipment goes through an initial sorting. Equipment which we could still use was sent to my department to be refurbished, redeployed or used for parts. Equipment which was no longer used would be sold to an e-waste recycler after the hard drives were removed and shredded. Never would we sell ANY hard drives (or equipment which contained hard drives), there is just too much sensitive information (store data, customer data, etc.). Furthermore, why were the hard drives undecrypted? This is basic data security, right along with ensuring paper documents are shredded and not dumped in the trash.

I feel like Morgan Stanley is getting off easy with only a $35 million penalty. If this happened in the EU the penalties would have been far worse. Such astonishing basic security failures by a financial services company should result in their SEC License being suspended or even revoked, not just a slap-on-the-wrist fine. he SEC should require Morgan Stanley to undergo some type of an IT security audit (what other security lapses could  be placing their customer private/financial data at risk). In an era where consumers are increasingly aware of data/security breaches this is not good PR for Morgan Stanley.

via Ars Technica