Morgan Stanley on Tuesday agreed to pay the Securities and Exchange Commission (SEC) a $35 million penalty for data security lapses that included unencrypted hard drives from decommissioned data centers being resold on auction sites without first being wiped.
The SEC action said that the improper disposal of thousands of hard drives starting in 2016 was part of an “extensive failure” over a five-year period to safeguard customers’ data as required by federal regulations. The agency said that the failures also included the improper disposal of hard drives and backup tapes when decommissioning servers in local branches. In all, the SEC said data for 15 million customers was exposed.
“MSSB’s failures in this case are astonishing,” said Gurbir S. Grewal, director of the SEC’s enforcement division, using the initials for Morgan Stanley Smith Barney, the full name of the firm. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.”
Much of the failure stemmed from the 2016 hire of a moving company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the data of millions of customers. The moving company received 53 RAID arrays that collectively contained roughly 1,000 hard drives, and it also removed about 8,000 backup tapes from one of the Morgan Stanley data centers.
The unnamed moving company initially contracted with an IT specialist to wipe or destroy any sensitive data stored on the drives. Eventually, the moving company stopped working with that specialist and began selling the storage devices to a company that in turn sold them at auction. The new company was never vetted by Morgan Stanley or approved as a contractor or subcontractor in the decommissioning project.
In 2017, more than a year after the data center’s decommissioning, Morgan Stanley officials received an email from an IT consultant in Oklahoma, informing them that hard drives he purchased from an online auction site contained Morgan Stanley data.
In a complaint, SEC officials wrote, “In that email, Consultant informed MSSB that ‘[y]ou are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware. Or at the very least getting some kind of verification of data destruction from the vendors you sell equipment to.’ MSSB eventually repurchased the hard drives in Consultant’s possession.”
The SEC action also said that many of the storage devices didn’t have encryption turned on, though the option existed. Even after the investment firm began using encryption options in 2018, only new data written to the disks was protected. In some cases, data still wasn’t properly encrypted because of a flaw in an unidentified vendor’s product.
Without admitting or denying the SEC claims, Morgan Stanley agreed to Tuesday’s finding that it violated the Safeguards and Disposal Rules under Regulation S-P and agreed to pay the $35 million penalty.
In a statement, Morgan Stanley officials wrote, “We are pleased to be resolving this matter. We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information.”