Morgan Stanley on Tuesday agreed to pay the Securities and Exchange Commission (SEC) a $35 million penalty for information safety lapses that included unencrypted hard drives from decommissioned information facilities being resold on public sale websites with out first being wiped.
The SEC motion mentioned that the improper disposal of 1000’s of hard drives beginning in 2016 was a part of an “extensive failure” over a five-year interval to safeguard prospects’ information as required by federal rules. The company mentioned that the failures additionally included the improper disposal of hard drives and backup tapes when decommissioning servers in native branches. In all, the SEC mentioned information for 15 million prospects was uncovered.
“MSSB’s failures in this case are astonishing,” mentioned Gurbir S. Grewal, director of the SEC’s enforcement division, utilizing the initials for Morgan Stanley Smith Barney, the complete identify of the agency. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.”
Much of the failure stemmed from the 2016 rent of a shifting firm with no expertise or experience in information destruction providers to decommission 1000’s of hard drives and servers containing the info of tens of millions of shoppers. The shifting firm acquired 53 RAID arrays that collectively contained roughly 1,000 hard drives, and it additionally eliminated about 8,000 backup tapes from one of many Morgan Stanley information facilities.
The unnamed shifting firm initially contracted with an IT specialist to wipe or destroy any delicate information saved on the drives. Eventually, the shifting firm stopped working with that specialist and started promoting the storage units to an organization that in flip bought them at public sale. The new firm was by no means vetted by Morgan Stanley or permitted as a contractor or subcontractor within the decommissioning venture.
In 2017, greater than a yr after the info heart’s decommissioning, Morgan Stanley officers acquired an e-mail from an IT guide in Oklahoma, informing them that hard drives he bought from a web based public sale website contained Morgan Stanley information.
In a grievance, SEC officers wrote, “In that email, Consultant informed MSSB that ‘[y]ou are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware. Or at the very least getting some kind of verification of data destruction from the vendors you sell equipment to.’ MSSB eventually repurchased the hard drives in Consultant’s possession.”
The SEC motion additionally mentioned that lots of the storage units didn’t have encryption turned on, although the choice existed. Even after the funding agency started utilizing encryption choices in 2018, solely new information written to the disks was protected. In some circumstances, information nonetheless wasn’t correctly encrypted due to a flaw in an unidentified vendor’s product.
Without admitting or denying the SEC claims, Morgan Stanley agreed to Tuesday’s discovering that it violated the Safeguards and Disposal Rules underneath Regulation S-P and agreed to pay the $35 million penalty.
In an announcement, Morgan Stanley officers wrote, “We are pleased to be resolving this matter. We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information.”