Skip to main content

Morgan Stanley Fined $35 Million for Not Encrypting HDDs, Servers

Intel
(Image credit: Intel)

The Securities and Exchange Commission has fined Morgan Stanley Smith Barney (MSSB) for failing to protect its customers' personal identifying information (PII) over a five-year period. The SEC claims that Morgan Stanley not only did not destroy its clients' personal data from hard drives set to be decommissioned but also hired unqualified companies to do so. 

The SEC has discovered that Morgan Stanley did not properly dispose of storage devices containing its customers' PII dating as far back as 2015. The commission also found out that in several cases, Morgan Stanley contracted a "moving and storage company with no experience or expertise in data destruction services" to retire thousands of HDDs and servers containing the personal information of millions of its clients. Instead of destroying the drives and server, the company sold them to a third party, which sold them on an Internet auction. 

Typically, companies dealing with sensitive data use hardware security modules (HSMs) such as Marvell's LiquidSecurity, self-encrypting drives (SED), or at least encrypt the data via software. Decommissioning a SED is a fast and easy process as it only requires erasing the encryption key from the drive. Morgan Stanley did not use SEDs and did not encrypt data on its servers, even though the latter supported such capability. Usually, decommissioning a server with unencrypted data requires erasing all the data and ensuring it is impossible to recover it, which in many cases includes the physical destruction of storage devices. Yet, MSSB's contractors did not do that, and MSSB did not properly monitor its work.

Finally, Morgan Stanley found that 42 servers, all hypothetically storing unencrypted customer PII and consumer report information, were essentially lost or stolen by the moving company. 

"Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so," said Gurbir S. Grewal, Director of the SEC's Enforcement Division. "If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today's action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data." 

Morgan Stanley agreed to pay a $35 million fine without admitting guilt or denying the SEC's findings.

Anton Shilov
Freelance News Writer

Anton Shilov is a Freelance News Writer at Tom’s Hardware US. Over the past couple of decades, he has covered everything from CPUs and GPUs to supercomputers and from modern process technologies and latest fab tools to high-tech industry trends.

  • velocityg4
    I guess that's one less ivory backscratcher for each of the executives this year. Government fines for big companies are stuck in a 1950's mindset of what constitutes big fines. Now it can be a lot cheaper to just pay the fine than do things right. Add another zero or two and they'd really have felt the burn. $35 Mil probably hurts them as much as me getting a six pack of decent beer.
    Reply
  • Eximo
    "We shredded the paper files, what more do they want"?

    Or

    "I put my secretary in charge of it, blame her!"
    Reply
  • waltc3
    I don't use Morgan Stanley for other reasons, but this is just complete negligence! Should have been a $350M fine. It runs with what I've seen from Morgan Stanley before. I don't care for the philosophy of this company, which often puts dumb politics ahead of business, imo.
    Reply
  • Makaveli
    I agree that fine is joke, they will make back 35 million probably less than 24 hours.

    Even a complete moron knows you have to properly wipe hard drives and even more so when they have client data on them.
    Reply
  • Sippincider
    Eximo said:
    "We shredded the paper files, what more do they want"?

    Or

    "I put my secretary in charge of it, blame her!"

    OR...

    "I found this outfit on the Internet that'll do it for a fraction the price of everyone else! And all 5-star reviews on social media too!"
    Reply
  • coromonadalix
    Take a dril and punch a hole 30 seconds to 1 minute ....easy ??? or take a good ol hammer and have fun with it ??
    Reply
  • helper800
    coromonadalix said:
    Take a dril and punch a hole 30 seconds to 1 minute ....easy ??? or take a good ol hammer and have fun with it ??
    That is not enough of a complete destruction to safeguard the information on the drive when left unencrypted or otherwise. You essentially need to melt down the platters and shred the circuit boards in the HDDs to completely annul the data from them destructively. Even then its as simple as removing all PCBs and chucking them all in a furnace and throwing the PCBs into one of those large object shredders.
    Reply
  • USAFRet
    helper800 said:
    That is not enough of a complete destruction to safeguard the information on the drive when left unencrypted or otherwise. You essentially need to melt down the platters and shred the circuit boards in the HDDs to completely annul the data from them destructively. Even then its as simple as removing all PCBs and chucking them all in a furnace and throwing the PCBs into one of those large object shredders.
    Naa, just throw the whole drive in.
    We have shredders that turn physical drives into basically dust.

    But the problem isn't how to dispose, but rather that the data wasn't encrypted.
    Reply
  • helper800
    USAFRet said:
    Naa, just throw the whole drive in.
    We have shredders that turn physical drives into basically dust.

    But the problem isn't how to dispose, but rather that the data wasn't encrypted.
    Well it depends on what the industrial shredder is ratted to do. If it is ratted at 2x2 inch reduction for a hard drive isn't that technically unsafe to leave such large peices of a platter? However if you can turn a hardrive into millimeter sized pellets then it would be safe for sure. I am more familiar to the way I have done it in the past which is to dump all the platters into a furnace and melting them into a clump. There is no retrieving that. I would liken shredding to paper shredders, there is a possibility of patching it back together and stealing the data depending on shred size. Incineration on the other hand is significantly harder to come back from. I was replying specifically to the minimum destructive process to render a drive unrecoverable.
    Reply
  • TJ Hooker
    helper800 said:
    That is not enough of a complete destruction to safeguard the information on the drive when left unencrypted or otherwise. You essentially need to melt down the platters and shred the circuit boards in the HDDs to completely annul the data from them destructively. Even then its as simple as removing all PCBs and chucking them all in a furnace and throwing the PCBs into one of those large object shredders.
    Unless you're trying to protect against targeted data harvesting by well-funded (e.g. state-sponsored) actors, drilling a hole is probably fine.

    Edit: I have no idea if drilling a hole is sufficient in terms of the legal requirements for a company to protect your data though.
    Reply