$35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctione...
source link: https://arstechnica.com/information-technology/2022/09/morgan-stanley-pays-35m-penalty-for-extensive-failure-to-safeguard-customer-data/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
SOLD TO THE HIGHEST BIDDER —
$35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned
"Astonishing failures" over a 5-year span.
Dan Goodin - 9/20/2022, 9:22 PM
Morgan Stanley on Tuesday agreed to pay the Securities and Exchange Commission (SEC) a $35 million penalty for data security lapses that included unencrypted hard drives from decommissioned data centers being resold on auction sites without first being wiped.
The SEC action said that the improper disposal of thousands of hard drives starting in 2016 was part of an “extensive failure” over a five-year period to safeguard customers’ data as required by federal regulations. The agency said that the failures also included the improper disposal of hard drives and backup tapes when decommissioning servers in local branches. In all, the SEC said data for 15 million customers was exposed.
"Astonishing failures"
“MSSB’s failures in this case are astonishing,” said Gurbir S. Grewal, director of the SEC’s enforcement division, using the initials for Morgan Stanley Smith Barney, the full name of the firm. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.”
Much of the failure stemmed from the 2016 hire of a moving company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the data of millions of customers. The moving company received 53 RAID arrays that collectively contained roughly 1,000 hard drives, and it also removed about 8,000 backup tapes from one of the Morgan Stanley data centers.
AdvertisementThe unnamed moving company initially contracted with an IT specialist to wipe or destroy any sensitive data stored on the drives. Eventually, the moving company stopped working with that specialist and began selling the storage devices to a company that in turn sold them at auction. The new company was never vetted by Morgan Stanley or approved as a contractor or subcontractor in the decommissioning project.
In 2017, more than a year after the data center's decommissioning, Morgan Stanley officials received an email from an IT consultant in Oklahoma, informing them that hard drives he purchased from an online auction site contained Morgan Stanley data.
In a complaint, SEC officials wrote, “In that email, Consultant informed MSSB that ‘[y]ou are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware. Or at the very least getting some kind of verification of data destruction from the vendors you sell equipment to.’ MSSB eventually repurchased the hard drives in Consultant’s possession.”
The SEC action also said that many of the storage devices didn’t have encryption turned on, though the option existed. Even after the investment firm began using encryption options in 2018, only new data written to the disks was protected. In some cases, data still wasn’t properly encrypted because of a flaw in an unidentified vendor’s product.
Without admitting or denying the SEC claims, Morgan Stanley agreed to Tuesday’s finding that it violated the Safeguards and Disposal Rules under Regulation S-P and agreed to pay the $35 million penalty.
In a statement, Morgan Stanley officials wrote, “We are pleased to be resolving this matter. We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information.”
Promoted Comments
-
Quote:In a statement, Morgan Stanley officials wrote, “We are pleased to be resolving this matter. We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information.”What a load of shit. The matter is NOT resolved. Firstly, this happening 'several years' ago is meaningless. Depending on what data was on those drives--which Morgan Stanley doesn't appear to be disclosing--it's entirely possible that someone could be damaged many years into the future from having their information mishandled like this. Secondly, how would they detect access/misuse of client information? Are the credit reports of every single affected customer being monitored? Are they involved in validating/researching every instance of identify theft, fraud, thievery, or any other crime that could be connected to this data? Lastly, a $35 million fine for this is a fucking joke. Our society has gotten WAY too comfortable with slaps on the wrist for these massive corporations who don't give a shit about properly securing our data. I think right now I have AT LEAST three different free credit monitoring things going on because of shit like this. When are we going to aggressively demand that enforcement of our data and consumer privacy protection laws actually be worth something?
-
I am leading a large, (for us) IT decommissioning project at the moment. We have a checklist for every device, that is part of a master sheet, which each technician dates and signs when complete. Every piece of hardware has colored coded painter's tape attached to it with exact phrases written in Sharpie to ensure the device is placed in the correct pile, and we know what has been completed.
We're four people, (who all have other job responsibilities) working with a publicly funded level of budget. What's your excuse Morgan Stanley?
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK