The US Securities and Exchange Commission (SEC) has fined Morgan Stanley Smith Barney $35 million for negligence in ensuring the security of its clients’ data. The settlement relates to “major failures” by the investment adviser and financial services company over a period of more than five years.
Morgan Stanley agreed to pay a $35 million fine with the SEC. The federal agency said the company failed to protect user data in accordance with federal privacy rules. Morgan Stanley apparently irresponsibly disposed of thousands of devices containing its clients’ personally identifiable information (PII).
Identity data and other data on these devices (hard drives and servers) that had the ability to be encrypted were unfortunately not encrypted, indicating technical errors. So when Morgan Stanley hired a shipping company with “no experience or knowledge in data destruction services,” it exposed the identifying information of 15 million customers.
Jordan Schroeder, CISO at Barrier Networks, told Spiceworks: “This is a stunning security lapse at one of the most prestigious banks in the world, which is expected to have well-established systems lifecycle management procedures in place.”
“Not only does the situation mean that the bank put customer data at risk, but it also shows that the organization did not follow the expected policy that explained the safe disposal of IT equipment. Such a large fine and consequences for Morgan Stanley’s clients are avoidable.”
Morgan Stanley recovered some devices, but the “vast majority” of devices did not. More than 42 servers with unencrypted credentials are still down. These hard drives and servers were owned by the local office and branch, which are now defunct.
“Other businesses should use this case as an example of why it is so important to have processes in place to properly dispose of IT equipment. IT systems store sensitive information, so it’s important to work with a reliable vendor that can destroy data without putting it at risk,” Schroeder added.
Morgan Stanley’s expressed satisfaction in a statement to multiple retailers about the penalty. “We are happy to resolve this issue,” the company said. “We previously notified the relevant customers of these issues, which occurred several years ago, and did not detect any unauthorized access to or misuse of the customer’s personal information.”
However, the major financial center did not specify how exactly it investigated. Whether the disclosed personally identifiable information was used for financial fraud, identity theft, or any other nefarious activity by threat actors. A transportation company hired by Morgan Stanley sold thousands of these devices to a third party by auctioning them online without removing identifying information.
SEC Enforcement Division Director Gurbir Grewal, said, “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB failed to do so. If this sensitive information is not properly protected, it can end up in the wrong hands and have disastrous consequences for investors.
Schroder: “Any company that doesn’t [implement appropriate safeguards] found to be in breach of GDPR and other privacy regulations and may face the same fines.”
MORE ABOUT VIOLATIONS OF STANDARDS
https://www.spiceworks.com/it-security/security-general/news/morgan-stanley-data-security-privacy-fine/ Lax data security practices cost Morgan Stanley $35 million in SEC fines