palm face: On Wednesday, Morgan Stanley settled a complaint with the Securities and Exchange Commission (SEC) about “staggering” security failures that occurred between 2016 and 2021. Data centers were shut down.
According to the Securities and Exchange Commission complaintMorgan Stanley has sold nearly 1,000 unencrypted hard drives that have not been erased. It also alleges that the company improperly disposed of thousands of hard drives and magnetic backup media, exposing the data of more than 15 million Morgan Stanley customers. Officials Call The security failure is ‘astounding’.
SEC Director of Enforcement Gurbir S. Grewal said: “The failures of MSSB in this case are astonishing. Clients entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB has sadly failed to do so.” “If not properly protected, this sensitive information could end up in the wrong hands and have dire consequences for investors.”
According to the SEC, Morgan Stanley shut down two data centers in 2016, leading to a series of security holes caused by the company’s negligence.
“You are a major financial institution and should follow some very strict guidelines on how to handle retired hardware.”
To start, instead of destroying the hard drives or not having an in-house IT team, the company contracted a third-party carrier to take care of the hardware. The drive acquired 53 RAID arrays consisting of approximately 1,000 hard drives and approximately 8,000 backup tapes. The unnamed company allegedly had no experience shutting down storage media.
The moving company initially subcontracted an IT company to wipe the drives. However, there was a rift between the two companies, and the mover began selling storage devices to another group that turned around and auctioned them online without erasing them.
In 2017, nearly a year after the shutdown project began, an IT professional from Oklahoma sent an email to Morgan Stanley telling her that he had hard drives containing the company’s customer data.
“You are a major financial institution and must follow some very strict guidelines on how to handle retired hardware,” the IT consultant wrote. “Or, at least, get some sort of data corruption verification from the vendors you sell the equipment to.”
The wealth management company later repurchased all the hard drives the advisor had in his possession.
Besides neglecting to zero in on drives and not keeping tabs on what their contractors were doing with them, most customer data was unencrypted even though many hard drives had built-in encryption support. Morgan Stanley only started using encryption in 2018 and only for new files – the old data was still unprotected. The SEC claims that even after 2018, some information was still decrypted due to a security failure in its data protection suite.
Morgan Stanley agreed to pay the fine without admitting guilt or fault. business standard Notes A company spokesperson said there was no indication that any customers were affected.
“We have notified relevant customers in advance about these matters, which occurred several years ago, and have not detected any unauthorized access to or misuse of customer personal information,” the spokesperson said.