Morgan Stanley has agreed to pay a $35 million penalty to the Securities and Exchange Commission (SEC) for data security breaches. These breaches involved the improper disposal of hard drives from decommissioned data centers, which were then resold on auction sites without being wiped clean of sensitive information. This failure to safeguard customer data, as required by federal regulations, spanned over five years.
The SEC revealed that the mishandling of thousands of hard drives, starting in 2016, was just one part of a broader pattern of negligence. Morgan Stanley also improperly disposed of hard drives and backup tapes when decommissioning servers in local branches. Overall, the SEC estimated that data from 15 million customers was exposed.
Director of the SEC’s enforcement division, Gurbir S. Grewal, expressed astonishment at Morgan Stanley’s failures. Customers trust financial professionals to protect their personal information, and in this case, Morgan Stanley fell far short of that expectation.
The primary cause of the lapses was the hiring of a moving company in 2016 that had no expertise or experience in data destruction services. This moving company ended up receiving 53 RAID arrays, which contained around 1,000 hard drives, as well as approximately 8,000 backup tapes from one of Morgan Stanley’s data centers.
Initially, the moving company had contracted with an IT specialist to properly wipe or destroy any sensitive data on the hard drives. However, they eventually stopped working with that specialist and started selling the storage devices to another company, which then auctioned them off. Unfortunately, the new company was never vetted by Morgan Stanley or approved as a contractor in the decommissioning process.
These data security breaches present a significant threat to the Indirect Air Carrier Business. We want to make sure that secure information handling is always a top priority!
To check out the original article please follow the link below:
$35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned | Ars Technica