SEC fines Morgan Stanley $35 million after exposing customer data on 1,000 auctioned hard...

Cal Jeffrey

Posts: 4,154   +1,416
Staff member
Facepalm: On Wednesday, Morgan Stanley settled a complaint by the Securities and Exchange Commission (SEC) over "astonishing" security failures occurring between 2016 and 2021. The financial giant agreed to pay a $35 million fine for the improper disposal of hard drives from one of its decommissioned data centers.

According to the SEC's complaint, Morgan Stanley auctioned off roughly 1,000 unencrypted HDDs that had not had their contents erased. It also claims that the company improperly disposed of thousands of hard drives and backup magnetic media, exposing the data of more than 15 million Morgan Stanley customers. Officials called the security failures "astonishing."

"MSSB's failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so," said SEC's Enforcement Division Director Gurbir S. Grewal. "If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors."

According to the SEC, Morgan Stanley decommissioned two data centers in 2016, resulting in a cascade of security lapses caused by the company's negligence.

"You are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware."

To start with, rather than destroying the hard drives or having an internal IT team zero them, the company contracted a third-party moving company to take care of the hardware. The mover took possession of 53 RAID arrays comprised of around 1,000 HDDs and about 8,000 backup tapes. The unnamed firm allegedly had no experience in decommissioning storage media.

The moving company initially subcontracted an IT firm to wipe the drives. However, the two companies had a falling out, and the mover began selling the storage devices to another outfit that turned around and auctioned them online without erasing them.

In 2017, nearly a year after the decommissioning project began, an IT professional from Oklahoma emailed Morgan Stanley and informed it that he had hard drives containing the firm's customer data.

"You are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware," the IT consultant wrote. "Or, at the very least, getting some kind of verification of data destruction from the vendors you sell equipment to."

The wealth management company subsequently bought back all the HDDs the consultant had in his possession.

Beyond the negligence of not zeroing the drives and not keeping tabs on what its contractors were doing with them, most of the customer data was unencrypted even though many of the HDDs had built-in encryption support. Morgan Stanley only began using encryption in 2018 and only for new files --old data was still unprotected. The SEC claims that even after 2018, some information was still unencrypted because of a security failure in its data protection suite.

Morgan Stanley agreed to pay the fine without admitting guilt or wrongdoing. The Business Standard notes that a spokesperson said there is no indication that any customers were affected.

"We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information," said the spokesperson.

Permalink to story.

 
Wow, 35 million!! I bet Morgan Stanley earns that amount in about 5 minutes on a slow day!!

Those pathetic SEC fines are what, from the 1920s?? But I doubt the SEC, aka the harlot of Big Finance will never raise those fines.

It's essentially a license to keep doing whatever they're doing and keep screwing the customer.
 
Yeah, sounds like a lot of money, but chump change for a securities firm.
Best way to hit them would be if every customer found out about this, and moved
their portfolio to someone else.
 
Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected
That's a laugh. It is all done on paper, bogus reports and certificates, not in reality. The only thing that changed in the financial crooked world is their bold claim of security.
 
Wow, 35 million!! I bet Morgan Stanley earns that amount in about 5 minutes on a slow day!!

Those pathetic SEC fines are what, from the 1920s?? But I doubt the SEC, aka the harlot of Big Finance will never raise those fines.

It's essentially a license to keep doing whatever they're doing and keep screwing the customer.

Yeah but they took down Martha Stewart- so that are protecting you .

problem of a modern society - separation of decisions to people hurt - someone running the numbers a Morgan Stanley - with this merger and these plant closures we can save 60 Million and reduce your pension liability by 10 thousand workers - hey kids great day at work today save my client 60 Million /year

Corporate raiders , merchant banks , short term profit grabbers are not your friends - just neccessary scavengers that should be heavily controlled
 
And the IT fools at Morgan Stanley do not know about services that shred disks? Sheesh! Blithering *****s. They talk the big game about security but do not walk the walk.
 
And the IT fools at Morgan Stanley do not know about services that shred disks? Sheesh! Blithering *****s. They talk the big game about security but do not walk the walk.
You are right - these should not have even been sold .
Well marriage councillors divorce, financial advisors go bankrupt
 
And what if anything is the SEC doing about those third parties that were involved in this monumental F up
 
Back