$35 Million Fine From Securities and Exchange Commission Covers 5 Years of Mishaps Mathew J. Schwartz (euroinfosec) • September 21, 2022 Morgan Stanley headquarters in New York (Photo: Ajay Suresh via Flickr/CC)
The early 2000s are calling; they want their easily preventable physical data breach back.
How else to respond to the news that financial giant Morgan Stanley will pay a $35 million fine to settle allegations that it failed to ensure the proper disposal of hard drives containing personally identifiable information for 15 million customers?
The U.S. Securities and Exchange Commission on Tuesday unveiled charges against Morgan Stanley Smith Barney LLC, or MSSB, tied to multiple episodes involving it allegedly mishandling customer PII, starting in 2015.
Doing business as Morgan Stanley Wealth Management, the division of publicly traded Morgan Stanley reported 2021 net revenues of $24 billion.
Despite its financial success, the SEC has accused the company of skimping when it comes to data protection – specifically, of violating Regulation S-P rules 30(a) and 30(b), which require regulated organizations to safeguard customer records and information by having in place proper procedures for safeguarding and disposing of customer records and information.
When the company decommissioned 500 servers in 2019, the SEC found that it didn’t enable encryption software on server hard drives until 2018, and that even when it did, “due to a manufacturer flaw, the encryption software only encrypted newly created data,” meaning that volumes of unencrypted PII were still being stored on the drives.
Another surprise is the five-year period starting in 2015 over which many different alleged data protection failures occurred at the banking giant. One year after a 2016 data center commissioning, Morgan Stanley received an email from an Oklahoma-based IT consultant who had purchased hard drives via an unnamed online auction site and found MSSB data, the SEC says.
As the consultant told Morgan Stanley: “You are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware. Or at the very least getting some kind of verification of data destruction from the vendors you sell equipment to.” The bank repurchased the hard drives for an undisclosed amount and launched an investigation.
Data Decommissioning Essentials
Ensuring the proper decommissioning of old hard drives might sound boring, but it’s something IT departments have regularly practiced for years, for obvious reasons. Unless they get reliably destroyed, old hard drives will undoubtedly pop up on eBay with stored customer data intact.
No-brainer data protection moves have also long included mandatory shredding of paper documents containing sensitive details – to guard against dumpster diving – as well as never allowing PII to get copied onto laptops or storage devices that aren’t encrypted by default. That way, if they get lost or stolen, nothing sensitive or regulated gets exposed. These are basic security steps.
So how did Morgan Stanley forget the “destroy your old hard drives” data-decommissioning essential? That’s the question regulators have been asking.
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” says Gurbir S. Grewal, director of the SEC’s Enforcement Division. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”
Bank Hired Moving Company to Handle Destruction
SEC investigators found that Morgan Stanley regularly relied on a moving and storage company with no experience in data destruction or decommissioning hard drives to get rid of its hard drives and also failed to monitor what the company was doing. While the moving company agreed to work with a third-party e-waste management company that would have wiped the hard drives, the moving company found it more profitable to sell the equipment, including an inventory of 1,000 hard drives from redundant array of independent disks, or RAID, arrays, plus 8,000 backup tapes.
“As a result of MSSB’s failure to oversee its vendor,” the SEC says that the moving company “sold approximately 4,900 IT assets, including unwiped hard drives, some of which, cumulatively, contained thousands of pieces of PII of MSSB’s customers.”
Morgan Stanley has failed to recover “the vast majority” of the devices that were improperly disposed of, the SEC says. What it has recovered also isn’t reassuring. “In June 2021, MSSB obtained another 14 of the missing hard drives from a downstream purchaser,” the SEC says. “Based on forensic analysis of these hard drives, 13 of the devices contained a total of at least 140,000 pieces of customer PII.”
Customers Already Notified of Breach
Morgan Stanley in July 2020 notified the 15 million affected customers that their data had likely been exposed. It said account names and numbers for Morgan Stanley and any linked bank accounts were at risk, and Social Security numbers, passport numbers, contact information, date of birth, asset value and holdings data may have been exposed. Affected customers were offered two years of prepaid credit monitoring services.
In January, the financial services giant agreed to settle a class action lawsuit over the data exposure for $60 million.
The SEC isn’t the first regulator to censure the bank for mishandling PII. In 2020, the Office of the Comptroller of the Currency, which is part of the Department of the Treasury, fined Morgan Stanley $60 million for multiple data protection failures, including decommissioning two data centers in 2016.
Now, beyond paying the $35 million civil penalty announced by the SEC on Tuesday, Morgan Stanley has also been ordered to “cease and desist from committing or causing any violations and any future violations of Rules 30(a) and (b) of Regulation S-P,” which requires the firm to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”
As is typical with SEC charges, Morgan Stanley has agreed to pay a fine without admitting or denying the regulator’s findings. Clearly, however, the onus is on Morgan Stanley to get serious about protecting PII. As the SEC says, “violating such an order can result in criminal contempt proceedings, which may result in fines, incarceration, or both.”