Morgan Stanley has dealt with the US Securities and Exchange Commission (SEC) over claims that a financial services corporation has failed to adequately protect confidential customer data (opens in a new tab).
As part of the settlement, the company will pay $ 35 million, but will not plead guilty or contradict the SEC’s findings.
The SEC found that Morgan Stanley had failed to protect customer data by mishandling the decommissioning of some of its storage units. This apparently involved hiring a removal and storage company “with no experience or knowledge of data destruction services” to decommissioning thousands of hard drives (HDDs) and servers that were unencrypted. (opens in a new tab) information enabling the identification of millions of Morgan Stanley customers as early as 2015.
Loss of servers
The company, instead of properly disposing of the sensitive equipment, allegedly sold it to a third party who eventually sold it through an internet auction.
Moreover, the moving company managed to lose 42 servers.
“Clients entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and the MSSB has failed to do so,” said Gurbir S. Grewal, director of the SEC’s Enforcement Division.
“If not properly secured, this sensitive information could fall into the wrong hands with catastrophic consequences for investors. Today’s action sends a clear message to financial institutions that they must take their responsibility to protect such data seriously. ‘
Launching a data center is an entire industry where companies devise entire processes to ensure that old and obsolete storage units are properly disposed of, without exposing sensitive data to third parties.
Over the past decade, data has become an extremely valuable asset, prompting governments, privacy advocates, and various nonprofits to pay more attention to how large tech companies collect, store, and share customer information.
By: Tom’s gear (opens in a new tab)