Morgan Stanley fined $35m after hard drives sold with customer info still on them

Morgan Stanley Smith Barney has agreed to pay a paltry $35 million penalty after customers' sensitive records were left unencrypted on unwiped hard drives that were auctioned off after decommissioning.

The financial services giant will cough up the cash to settle SEC charges that, during several datacenter server decommissioning and moving projects beginning in 2015, it failed to properly dispose of thousands of hard drives and backup tapes containing people's personal identifiable information (PII).

According to the US watchdog, over a five year period as many as 15 million people's non-encrypted private information was mishandled in one way or another, from tapes not being properly destroyed to drives being sold off without being wiped.

Morgan Stanley Smith Barney (MSSB aka Morgan Stanley Wealth Management) has not admitted nor denied the SEC's findings. While these are serious charges for an investment firm that manages almost $5 trillion in total client assets — not to mention being a treasure trove for any would-be identity thief — your humble vultures wouldn't be surprised to hear that an exec paid the $35 million on the company plastic, straight out of the expense account.

Calling the fine a slap on the wrist is even too strong of a phrase. It's doubtful that Morgan Stanley, which raked in more than $12 billion in profit for just the three months to June 30, even felt the blow. 

To quote Twitter's former head of security Peiter "Mudge" Zatko's testimony before the US Senate Judiciary Committee last week, these one-off fines over data misuse are just a "cost of doing business," in the minds of corporate suits.

The SEC said [PDF] that, for instance, while decommissioning two datacenters in 2016, MSSB hired a moving company to "remove, destroy, or delete" any data contained on thousands of devices from the facilities. 

However, the moving company had no experience providing these types of data destruction services, we're told. At some point, said moving company stopped working with an e-waste management firm to wipe the devices and instead began selling the machines to a third-party.

"As a result of MSSB's failure to oversee its vendor, [the] moving company sold approximately 4,900 information technology assets, including unwiped hard drives, some of which, cumulatively, contained thousands of pieces of PII of MSSB's customers," according to the SEC's complaint.

A year later, some of these unwiped hard drives ended up on an online auction site, where an IT consultant in Oklahoma purchased them, and then sent an email to MSSB saying he had access to the data on the devices. The financial services firm eventually bought back the hard drives, we're told.

Despite this, and MSSB's own acknowledgement in 2015 that the moving company's "security program is not independently assessed leading to potential gaps in security, breaches, and non-compliance with policies and regulatory requirements," the financial services firm allegedly continued working with the shoddy movers. 

Also, according to the SEC, in 2017 MSSB lowered the moving company's risk assessment from "moderate" to "low."

• Twitter whistleblower Zatko disses bird site as dysfunctional data dump
• SEC charges VMware with hiding slowing sales from investors
• Meta, Twitter, Apple, Google urged to up encryption game in post-Roe America
• Uber explains how it was pwned this month, points finger at Lapsus$ gang

In another major MSSB misstep, the SEC uncovered a similar decommissioning-gone-wrong incident in 2019. This time, MSSB planned to decommission about 500 storage devices from "various local MSSB offices or branches," we're told.

However, when it came time to check that the storage units had, in fact, been destroyed, "MSSB was unable to locate 42 of the devices," the SEC alleged. 

"The 42 missing devices all potentially contained unencrypted customer PII and consumer report information," the agency noted. Ouch.

The devices being decommissioned were equipped with encryption capability, but the watchdog said MSSB failed to activate the encryption feature until 2018, and even then some data stored prior to 2018 remained unencrypted.

"MSSB's failures in this case are astonishing," said Gurbir S. Grewal, director of the SEC's Enforcement Division in a statement. "Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors."

So far so good. It's hard to argue with any of that. But then he added: "Today's action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data."

Apparently one organization's "clear message" is another's "cost of doing business." ®