The SEC has fined Morgan Stanley $35 million for improperly disposing of customer data when decommissioning hardware at their data centers and local branches. The SEC states in their complaint that over a 5 year period, Morgan Stanley failed to dispose of thousands of hard drives containing the data of over 15 million customers in a secure manner.
From Dan Goodwin for Ars Technica:
Much of the failure stemmed from the 2016 hire of a moving company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the data of millions of customers. The moving company received 53 RAID arrays that collectively contained roughly 1,000 hard drives, and it also removed about 8,000 backup tapes from one of the Morgan Stanley data centers.
The unnamed moving company initially contracted with an IT specialist to wipe or destroy any sensitive data stored on the drives. Eventually, the moving company stopped working with that specialist and began selling the storage devices to a company that in turn sold them at auction. The new company was never vetted by Morgan Stanley or approved as a contractor or subcontractor in the decommissioning project.
Morgan Stanley found out about this when a consultant who had purchased some of the hard drives at an auction. The SEC complaint also noted that the hard drives were not encrypted even though this would have been easy to implement as most modern technology stacks enable this functionality. Without admitting fault, Morgan Stanley has agreed to pay the $35 million fine which is for violating the Safeguards and Disposal Rules under regulation S-P.
The fact that the USA does not have any comprehensive data protection laws or guidelines such as GDPR is massive tragedy given that many of the world’s largest technology companies are headquartered there. This kind of behavior is inexcusable especially when it occurs at such a significant scale.
