Morgan Stanley Discarded Old Hard Drives Without Deleting Customer Data First

An investigation(Opens in a new window) by the US Securities and Exchange Commission (SEC) discovered Morgan Stanley Smith Barney, now known as Morgan Stanley Wealth Management, put the personal information of 15 million customers at risk due to the way it handled old hard drives and servers.

Starting in 2015, and for a period spanning five years, Morgan Stanley hired a moving and storage company multiple times to handle the decommissioning of old hard drives and servers. There were two problems with this decision. The first is that the company selected to handle the drives had “no experience or expertise in data destruction services,” according to the SEC. The second problem was that Morgan Stanley didn’t encrypt the data stored on these drives, and didn’t attempt to delete any of it before handing them over to the moving company.

This scenario led to the personal data of millions of Morgan Stanley customers being available on thousands of old hard drives without any form of protection. The SEC found that instead of permanently deleting the data stored on the drives, the moving company simply sold them on to a third-party, which in turn sold some of them on internet auctions sites with the data still intact. The vast majority of these hard drives have never been recovered.

In total, the SEC investigation discovered records showing “42 servers, all potentially containing unencrypted customer PII and consumer report information, were missing.” The devices being used by Morgan Stanley did have the ability to encrypt the data being stored, but it was never enabled.

Recommended by Our Editors

Gurbir S. Grewal, Director of the SEC’s Enforcement Division, said that Morgan Stanley’s failures were “astonishing,” and that the company “fell woefully short” of protecting its customer’s personal information. Morgan Stanley has consented to the SEC’s finding that it “violated the Safeguards and Disposal Rules under Regulation S-P,” but did so without admitting or denying the findings. The company also agreed to pay a $35 million penalty to settle the charges against it.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”31.423799582463″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Facebook Comments Box

Hits: 0