Morgan Stanley has settled with the US Securities and Exchange Commission over allegations that the financial services company failed to adequately protect sensitive customer information (opens in new tab).
As part of the settlement, the company will pay $35 million but will not admit guilt or dispute the SEC’s findings.
The SEC found that Morgan Stanley had failed to protect customer data by poorly handling the decommissioning of some of its storage units. This apparently included hiring a moving and warehousing company “with no experience or expertise in data destruction services” to decommission thousands of hard disk drives (HDD) and servers that were transported unencrypted (opens in new tab) personal data of millions of Morgan Stanley customers since 2015.
Instead of properly disposing of the sensitive hardware, the company allegedly sold it to a third party, who ended up selling it in an internet auction.
In addition, the moving company managed to lose 42 servers.
“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB has failed miserably to do this,” said Gurbir S. Grewal, director of the SEC’s Enforcement Division.
“If this sensitive information is not properly protected, it can fall into the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take their obligation to protect this data seriously.”
Data center startup is an entire industry, with companies developing entire processes to ensure old and obsolete storage units are properly disposed of without disclosing sensitive data to third parties.
Over the past decade, data has become an extremely valuable commodity, prompting governments, privacy advocates, and various non-profit organizations to pay closer attention to how large tech companies collect, store, and share customer information.
Via: Tom’s Hardware (opens in new tab)
https://www.techradar.com/news/morgan-stanley-fined-millions-for-not-encrypting-hardware Morgan Stanley fined millions for not encrypting hardware