Morgan Stanley has settled with the US Securities and Exchange Commission (SEC) over claims that the financial services corporation failed to properly protect customer-sensitive data (opens in new tab).
As part of the settlement, the company will pay $35 million, but will not admit to being guilty, or deny the findings of the SEC.
The SEC found Morgan Stanley failed to protect customer data by poorly handling the decommissioning of some of its storage units. This included apparently hiring a moving and storage company “with no experience or expertise in data destruction services” to decommission thousands of hard disk drives (HDD) and servers, which were carrying unencrypted (opens in new tab) personally identifiable information on millions of Morgan Stanley clients, as far back as 2015.
Losing servers
The company, instead of properly disposing of the sensitive hardware, allegedly sold them to a third party which, finally, sold them on an internet auction.
What’s more, the moving company managed to lose 42 servers.
“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” said Gurbir S. Grewal, Director of the SEC’s Enforcement Division.
“If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”
Data center commissioning is an entire industry, with businesses developing entire processes to make sure old and outdated storage units get disposed of properly, without leaking sensitive data to third parties.
Over the past decade, data has become an extremely valuable asset, which prompted governments, privacy advocates, and various non-profits to pay closer attention to how major tech companies gather, store, and share, customer information.
Via: Tom’s Hardware (opens in new tab)