September 21, 2022

Morgan Stanley will pay a $35 million fine to the Securities and Exchange Commission for data security failures. This includes reselling unencrypted hard drives from decommissioned data centers on auction platforms without first deleting them and not safeguarding the information of customers when displacing company hard drives and servers.

According to the SEC, Morgan Stanley’s actions in 2016 were part of a larger failure to protect customers’ data, as required by federal rules, and it outed data from 15 million of its customers by hiring a moving company with no experience or expertise in data destruction to destroy hard drives and servers containing customer data.

It went on to say that many of these storage devices were not even encrypted, despite the fact that the option existed.

Morgan Stanley provided the moving company with 53 RAID arrays with about 1,000 hard drives and about 8,000 backup tapes, and the company hired an IT specialist to destroy the sensitive data stored on the hard drives.

The moving company terminated its cooperation with that specialist and began selling the storage devices to a company, which then auctioned them off, until Morgan Stanley received an email in 2017 from an IT consultant informing them that hard drives, he had bought from an online auction site contained Morgan Stanley data.

Morgan Stanley agreed with the SEC’s finding that it violated the Safeguards and Disposal Rules under the S-P regulation and agreed to pay the $35 million penalty.

The sources for this piece include an article in ArsTechnica.