Wealth manager Morgan Stanley has been fined US$35m for failing to protect the personal information of millions of its customers.
The US Securities and Exchange Commission (SEC) fined the firm for “extensive failures” to protect the personal identifying information of an estimated 15 million customers, over a five-year period.
Morgan Stanley used a third party to decommission thousands of hard drives holding the personal data of its customers. The third party, according to the SEC, was a moving and storage company with “little or no expertise in data destruction.” The moving company later sold on thousands of the Morgan Stanley devices including servers and hard drives, some of which contained customer data, and were then resold on an internet auction site without the data being removed.
Morgan Stanley managed to recover some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, but the vast majority remain lost.
The SEC’s order also found that Morgan Stanley failed to properly safeguard customer information and properly dispose of consumer report information when it decommissioned local office and branch servers as part of a broader hardware refresh programme.
A records reconciliation exercise undertaken by the firm during this decommissioning process revealed that 42 servers, all potentially containing unencrypted customer information and consumer report information, were missing.
According to the SEC, Morgan Stanley also learned that the local devices being decommissioned had been equipped with encryption capability – but it had failed to activate the encryption software for years.
“The SEC’s ruling highlights the growing complexity of third-party or supply-chain risk, as it often called,” says Mike Finlay, CEO at RiskBusiness. “Firms should never make assumptions about a third-party’s risk management capabilities or their understanding of the nature of materials you are handing over to them. This case also reinforces the message that firms should avoid siloed working. Risk management should be a company-wide concern and IT and cyber security teams should be fully engaged with the risk management function in order to provide essential specialist knowledge and expertise.”
Morgan Stanley is also facing a class-action lawsuit brought by consumers affected by the data breach. Plaintiff’s lawyers claim the bank dismissed its usual vendor, IBM, in favour of an “unknown and unqualified vendor”, which has been named in court documents as Triple Crown.