Morgan Stanley Smith Barney has agreed to pay a paltry $35 million in fines after clients’ sensitive records were left unencrypted on underased hard drives that were auctioned off after the decommissioning.
The financial services giant will spend the money to pay off SEC charges that improperly disposed of thousands of hard drives and backup tapes containing individuals’ personally identifiable information (PII) during several projects to decommission and relocate data center servers beginning in 2015.
According to the US regulator, over a five-year period, up to 15 million people’s private information was abused in one way or another, from tapes that were improperly destroyed to drives sold without erasure.
Morgan Stanley Smith Barney (MSSB aka Morgan Stanley Wealth Management) has neither admitted nor denied the SEC’s findings. It is true that these are serious burdens for an investment firm manages nearly $5 trillion across client assets — not to mention it’s a treasure trove for any would-be identity thief — your humble vultures wouldn’t be surprised to hear that an executive paid the $35 million for the company plastic straight from the expense account.
Calling the fine a slap on the wrist is actually too strong a phrase. It is doubtful that Morgan Stanley, who made more than $12 billion profit for just the three months ending June 30, even feeling the blow.
To quote Twitter’s former security chief Peiter “Mudge” Zatko testifying before the US Senate Judiciary Committee last week, these one-off data breach fines are just a “costs of doing business,” in the heads of corporate suits.
This was announced by the SEC [PDF] that, for example, when MSSB decommissioned two data centers in 2016, it hired a mover to “remove, destroy, or erase” all data contained on thousands of devices from the facilities.
However, the moving company had no experience in providing this type of data destruction service, we were told. Eventually, the mover stopped working with an e-waste disposal company to erase the equipment and instead began selling the machines to third parties.
“As a result of MSSB’s failure to oversee its provider, [the] The mover sold approximately 4,900 IT assets, including unerased hard drives, some of which cumulatively contained thousands of PII from MSSB customers,” the SEC’s complaint said.
A year later, some of those unerased hard drives ended up on an online auction site, where an IT consultant in Oklahoma bought them and then emailed MSSB saying he had access to the data on the devices. The financial services company eventually bought back the hard drives, they say.
Despite this, and MSSB’s own admission in 2015 that the mover’s “security program is not independently assessed, leading to potential security vulnerabilities, breaches, and non-compliance with policies and regulatory requirements,” the financial services company allegedly continued to work with the malware mover.
MSSB also lowered the mover’s risk rating from “moderate” to “low” in 2017, according to the SEC.
In another major MSSB misstep, the SEC uncovered a similar decommissioning gone awry incident in 2019. This time, MSSB planned to decommission about 500 storage devices from “various local MSSB offices or branches,” we were told.
However, when it came time to verify that the storage units had indeed been destroyed, “MSSB could not locate 42 of the devices,” the SEC claimed.
“The 42 missing devices all contained potentially unencrypted customer PII and consumer reporting information,” the agency noted. Ouch.
The decommissioned devices came with encryption capabilities, but the watchdog said MSSB did not enable the encryption capability until 2018, and even then some data stored before 2018 remained unencrypted.
“The failure of MSSB in this case is astounding,” Gurbir S. Grewal, director of the SEC’s Enforcement Division, said in a statement. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB has failed miserably. If this sensitive data is not properly protected, it can fall into the wrong hands and have disastrous consequences for investors.”
So far, so good. It’s hard to argue with all of this. But then he added: “Today’s action sends a clear message to financial institutions that they must take their obligation to protect such data seriously.”
Apparently, one organization’s “clear messages” are another’s “costs of doing business”. ®
https://www.theregister.com/2022/09/20/mssb_sec_fine/ Morgan Stanley fined $35 million for misuse of personal information • The Register