Infosecurity have written about SEC’s fine for Morgan Stanley due to a complaint regarding the improper disposal of devices that held customer’s information. The disposal started in 2016 and according to the SEC was part of an “extensive failure” that exposed 15 million customer’s data.
The complaint states that the firm allowed around 1000 unencrypted hard drives and 8000 back up tapes to be resold on auction sites without being wiped first. The mistake came to light when someone spotted the hard drives online and notified Morgan Stanley. The company then proceeded to buy back the drives that this consultant had in their possession.
According to the SEC, Morgan Stanley hired a third-party moving company to take care of the hardware. However, this company had no experience in decommissioning storage media. They originally planned to subcontract to a IT company but the relationship soured.
This is an astonishing security mistake by one of the world’s most prestigious banks, who would be expected to have well–established procedures in system life cycle management… Not only does the situation mean that the bank put customer data at risk, but it also demonstrates the organization was not following an expected policy which explained the secure disposing of IT equipment.Jordan Schroeder, managing CISO at Barrier Networks, told Infosecurity Magazine.
Morgan Stanley agreed to pay the $35 million fine without admitting guilt or wrongdoing. They reportedly said that there was no indication that any customers were affected.
See more US privacy news.