The Securities and Exchange Commission fined Morgan Stanley Smith Barney (MSSB) has failed to protect customers’ personally identifiable information (PII) over a five-year period. Not only do they claim they hired and destroyed unqualified companies.
The SEC has found that Morgan Stanley failed to properly dispose of storage devices containing customer PII dating back to 2015. The commission also found that there were several cases in which Morgan Her Stanley contracted “moving and storage companies with no experience or expertise.” Destroy thousands of HDDs and servers containing personal information for millions of clients. Instead of destroying the drives and servers, the company sold them to third parties, who sold them at Internet auctions.
Companies that work with sensitive data typically use Hardware Security Modules (HSMs) such as Marvell’s LiquidSecurity, Self-Encrypting Drives (SEDs), or at least encrypt data via software. Decommissioning an SED is a quick and easy process as it simply wipes the encryption key from the drive. Morgan Stanley did not use SEDs and did not encrypt data on their servers. The latter supported such functionality. Decommissioning a server with unencrypted data usually requires erasing all data so that it cannot be recovered. This often involves physical destruction of the storage device. However, MSSB’s contractors did not and MSSB did not properly monitor the work.
Finally, Morgan Stanley discovered that 42 servers storing virtually unencrypted customer PII and consumer reporting information were effectively lost or stolen by movers. did.
“Customers turn to financial professionals with the understanding and expectation that their personal information will be protected, but MSSB has done very poorly in doing so.” Information can fall into the wrong hands with dire consequences for investors, and today’s actions send a clear message to financial institutions that they must take their obligations to protect such data seriously. I will send.”
Morgan Stanley agreed to pay $35 million in fines without admitting guilt or denying the SEC’s findings.
