SEC fines Morgan Stanley $35 million after exposing customer data on 1,000 auctioned hard drives

On Wednesday, Morgan Stanley settled a complaint by the Securities and Exchange Commission (SEC) over “astonishing” security failures occurring between 2016 and 2021. The financial giant agreed to pay a $35 million fine for the improper disposal of hard drives from one of its decommissioned data centers.

According to the SEC’s complaint, Morgan Stanley auctioned off roughly 1,000 unencrypted HDDs that had not had their contents erased. It also claims that the company improperly disposed of thousands of hard drives and backup magnetic media, exposing the data of more than 15 million Morgan Stanley customers. Officials called the security failures “astonishing.”

“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” said SEC’s Enforcement Division Director Gurbir S. Grewal. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”

According to the SEC, Morgan Stanley decommissioned two data centers in 2016, resulting in a cascade of security lapses caused by the company’s negligence.

To start with, rather than destroying the hard drives or having an internal IT team zero them, the company contracted a third-party moving company to take care of the hardware. The mover took possession of 53 RAID arrays comprised of around 1,000 HDDs and about 8,000 backup tapes. The unnamed firm allegedly had no experience in decommissioning storage media.

The moving company initially subcontracted an IT firm to wipe the drives. However, the two companies had a falling out, and the mover began selling the storage devices to another outfit that turned around and auctioned them online without erasing them.

In 2017, nearly a year after the decommissioning project began, an IT professional from Oklahoma emailed Morgan Stanley and informed it that he had hard drives containing the firm’s customer data.

“You are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware,” the IT consultant wrote. “Or, at the very least, getting some kind of verification of data destruction from the vendors you sell equipment to.”

The wealth management company subsequently bought back all the HDDs the consultant had in his possession.

Beyond the negligence of not zeroing the drives and not keeping tabs on what its contractors were doing with them, most of the customer data was unencrypted even though many of the HDDs had built-in encryption support. Morgan Stanley only began using encryption in 2018 and only for new files –old data was still unprotected. The SEC claims that even after 2018, some information was still unencrypted because of a security failure in its data protection suite.

Morgan Stanley agreed to pay the fine without admitting guilt or wrongdoing. The Business Standard notes that a spokesperson said there is no indication that any customers were affected.

“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” said the spokesperson.