Morgan Stanley Fined $35 Million for Not Encrypting HDDs, Servers
Morgan Stanley repeatedly failed to protect personal data of clients, says SEC.
The Securities and Exchange Commission has fined Morgan Stanley Smith Barney (MSSB) for failing to protect its customers' personal identifying information (PII) over a five-year period. The SEC claims that Morgan Stanley not only did not destroy its clients' personal data from hard drives set to be decommissioned but also hired unqualified companies to do so.
The SEC has discovered that Morgan Stanley did not properly dispose of storage devices containing its customers' PII dating as far back as 2015. The commission also found out that in several cases, Morgan Stanley contracted a "moving and storage company with no experience or expertise in data destruction services" to retire thousands of HDDs and servers containing the personal information of millions of its clients. Instead of destroying the drives and server, the company sold them to a third party, which sold them on an Internet auction.
Typically, companies dealing with sensitive data use hardware security modules (HSMs) such as Marvell's LiquidSecurity, self-encrypting drives (SED), or at least encrypt the data via software. Decommissioning a SED is a fast and easy process as it only requires erasing the encryption key from the drive. Morgan Stanley did not use SEDs and did not encrypt data on its servers, even though the latter supported such capability. Usually, decommissioning a server with unencrypted data requires erasing all the data and ensuring it is impossible to recover it, which in many cases includes the physical destruction of storage devices. Yet, MSSB's contractors did not do that, and MSSB did not properly monitor its work.
Finally, Morgan Stanley found that 42 servers, all hypothetically storing unencrypted customer PII and consumer report information, were essentially lost or stolen by the moving company.
"Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so," said Gurbir S. Grewal, Director of the SEC's Enforcement Division. "If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today's action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data."
Morgan Stanley agreed to pay a $35 million fine without admitting guilt or denying the SEC's findings.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Anton Shilov is a contributing writer at Tom’s Hardware. Over the past couple of decades, he has covered everything from CPUs and GPUs to supercomputers and from modern process technologies and latest fab tools to high-tech industry trends.
-
velocityg4 I guess that's one less ivory backscratcher for each of the executives this year. Government fines for big companies are stuck in a 1950's mindset of what constitutes big fines. Now it can be a lot cheaper to just pay the fine than do things right. Add another zero or two and they'd really have felt the burn. $35 Mil probably hurts them as much as me getting a six pack of decent beer.Reply -
Eximo "We shredded the paper files, what more do they want"?Reply
Or
"I put my secretary in charge of it, blame her!" -
waltc3 I don't use Morgan Stanley for other reasons, but this is just complete negligence! Should have been a $350M fine. It runs with what I've seen from Morgan Stanley before. I don't care for the philosophy of this company, which often puts dumb politics ahead of business, imo.Reply -
Makaveli I agree that fine is joke, they will make back 35 million probably less than 24 hours.Reply
Even a complete moron knows you have to properly wipe hard drives and even more so when they have client data on them. -
Sippincider Eximo said:"We shredded the paper files, what more do they want"?
Or
"I put my secretary in charge of it, blame her!"
OR...
"I found this outfit on the Internet that'll do it for a fraction the price of everyone else! And all 5-star reviews on social media too!" -
coromonadalix Take a dril and punch a hole 30 seconds to 1 minute ....easy ??? or take a good ol hammer and have fun with it ??Reply -
helper800
That is not enough of a complete destruction to safeguard the information on the drive when left unencrypted or otherwise. You essentially need to melt down the platters and shred the circuit boards in the HDDs to completely annul the data from them destructively. Even then its as simple as removing all PCBs and chucking them all in a furnace and throwing the PCBs into one of those large object shredders.coromonadalix said:Take a dril and punch a hole 30 seconds to 1 minute ....easy ??? or take a good ol hammer and have fun with it ?? -
USAFRet
Naa, just throw the whole drive in.helper800 said:That is not enough of a complete destruction to safeguard the information on the drive when left unencrypted or otherwise. You essentially need to melt down the platters and shred the circuit boards in the HDDs to completely annul the data from them destructively. Even then its as simple as removing all PCBs and chucking them all in a furnace and throwing the PCBs into one of those large object shredders.
We have shredders that turn physical drives into basically dust.
But the problem isn't how to dispose, but rather that the data wasn't encrypted. -
helper800
Well it depends on what the industrial shredder is ratted to do. If it is ratted at 2x2 inch reduction for a hard drive isn't that technically unsafe to leave such large peices of a platter? However if you can turn a hardrive into millimeter sized pellets then it would be safe for sure. I am more familiar to the way I have done it in the past which is to dump all the platters into a furnace and melting them into a clump. There is no retrieving that. I would liken shredding to paper shredders, there is a possibility of patching it back together and stealing the data depending on shred size. Incineration on the other hand is significantly harder to come back from. I was replying specifically to the minimum destructive process to render a drive unrecoverable.USAFRet said:Naa, just throw the whole drive in.
We have shredders that turn physical drives into basically dust.
But the problem isn't how to dispose, but rather that the data wasn't encrypted. -
TJ Hooker
Unless you're trying to protect against targeted data harvesting by well-funded (e.g. state-sponsored) actors, drilling a hole is probably fine.helper800 said:That is not enough of a complete destruction to safeguard the information on the drive when left unencrypted or otherwise. You essentially need to melt down the platters and shred the circuit boards in the HDDs to completely annul the data from them destructively. Even then its as simple as removing all PCBs and chucking them all in a furnace and throwing the PCBs into one of those large object shredders.
Edit: I have no idea if drilling a hole is sufficient in terms of the legal requirements for a company to protect your data though.