Morgan Stanley has agreed to pay a $6.5 million fine for potentially exposing millions of consumers’ personal information through a failure to properly erase unencrypted data when disposing of the company’s computer devices.
The multinational investment bank failed to properly dispose of thousands of hard drives and servers storing information of millions of customers by hiring a moving company with no data-destruction experience to decommission them, the Office of the Attorney General of the State of Florida says.
“Morgan Stanley failed to properly monitor the moving company that used internet auctions to sell the computer equipment,” reads the press release.
According to the agreement, the bank was unaware of the problem until a downstream buyer found the data and contacted the company.
Morgan Stanley also misplaced 42 servers during decommissioning, “all potentially containing unencrypted customer information.”
The company blamed the issue on a manufacturer whose software failed to encrypt the data.
Attorney General Ashley Moody finds the finance behemoth ultimately responsible, saying it “put the personal information of millions of its customers at risk through the mishandling of decommissioned devices. Now, Morgan Stanley will have to pay $6.5 million and take steps to ensure customer data is protected.”
Morgan Stanley failed to maintain adequate vendor controls and hardware inventories, according to the announcement. Had it done so, “both data-security events could have been prevented.”
The bank has been instructed to adopt several provisions to strengthen personal information protection for its consumers, including:
· Encrypt all personal information, whether stored or transmitted, between documents, databases or elsewhere
· Maintain a written policy that governs the collection, use, retention and disposal of consumers’ personal information
· Employ a manual process and automated tools to keep track of locations of all hardware that contains personal information
· Maintain a comprehensive information security program that includes regular updates that are necessary to reasonably protect the privacy, security and confidentiality of personal information
· Support an incident response plan that documents incidents and actions taken in relation to the incidents
· Maintain a vendor risk assessment team to assess and monitor that their vendors are in compliance with Morgan Stanley’s data-security requirements
It is unclear if any of the data made its way into the public domain, or worse, into the hands of fraudsters eager to phish or extort individual customers. A full copy of the agreement can be found here.