Summary: Amidst legal sanctions and huge public infamy, American banking giant and financial services company Morgan Stanley has agreed to pay a preliminary settlement amount of $60m against a legal claim over its data breach lapse. Morgan Stanley data breach is a classic example of how ignoring due diligence while decommissioning IT Assets at the end of their life can turn out to be a lapse worth millions of dollars and loss of customer trust built over years.
The breach compromised the personal data of approximately 15 million customers of the bank. In July 2020, it attracted a class-action lawsuit by hundreds of the bank’s customers whose data were allegedly being compromised over the two security breaches that happened both in 2016 and 2019, owing to improper wiping of decommissioned data center equipment. The lawsuit alleged that the banking behemoth failed to safeguard its customer’s personally identifiable information (PII), including customer names and account numbers, social security numbers, passport details, contact information, date of birth, etc.
The incident in 2016 involved two data centers that were not properly decommissioned due to malpractice in vendor selection and further failure of not properly monitoring the third-party vendor. The vendor had allegedly failed to wipe the complete data from the servers and other equipment of the data centers before selling it to the downstream recycler. The bank was apprised of the lapse much later in 2019 through the third-party vendor. Much to the bank’s dismay, it did not have any documented evidence of the data being completely wiped from the decommissioned servers. While, in the second incident in 2019, one of the bank’s decommissioned servers at its local branches went missing from the inventory- making data on the server’s hard disk open to access in an unencrypted form to parties that had access to the missing servers.
The motion for class action settlement read, “ In 2020, after an investigation, the Office of Comptroller of Currency (OCC) directed Morgan Stanley to provide notice of the Data Security Incidents to its potentially affected current and former clients. Morgan Stanley began distributing notice letters in July 2020. The action by the OCC resulted in a consent order stating that Morgan Stanley failed to effectively assess or address the risks associated with the decommissioning of its hardware.”
The OCC in 2020 found that, “ Morgan Stanley along with failure to assess decommissioning risks also failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices in 2016.”. The OCC also found that, “In 2019, the banks experienced similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data,”.
The settlement motion also read that, ”this Settlement provides for a non-reversionary cash settlement fund for the benefit of Settlement Class Members in the same amount as the OCC fine, $60 million, in addition to other very substantial benefits.”
If the settlement amount is approved by Manhattan federal court, it will be awarded to all those who were potentially impacted by the alleged breach and data security lapse. Every class member can claim up to $10,000 for out-of-pocket expenses, 24 months of fraud insurance services, and a further $100 for lost time.
What Could Have Prevented Morgan Stanley Breach?
Morgan Stanley breach occurred owing to lapse from the bank in ensuring due diligence in selecting the right third party vendor and not ensuring that customer data were destroyed with documented evidence. Adopting a professional data erasure software by the bank or the third party vendor would have resolved the matter in more than one ways:
DIY Tool Securely Performs Onsite Erasure
Modern secure and certified data erasure software such as BitRaser Drive Eraser provides a DIY utility to facilitate onsite erasure of the legacy storage media with no or minimal technical assistance. The IT asset management team at Morgan Stanley could use the software to wipe the hard drives at the bank’s own premise. Data erasure software offer onsite erasure facility so that decommissioned hardware and IT asset can be completely wiped before leaving the bank’s facility and prevent any breach of chain of custody.
Offers Secure & Reliable Tamper Free Audit Trails
A certified data erasure software generates digital record for every wiped hard drive or storage device that acts as secure and reliable tamper-free audit trails. Availability of systematic records in the form of audit trails serve as a documented evidence of data wiping for every decommissioned device from the bank’s custody.
Adherence with GLBA Regulations
Data erasure technology helps businesses adhere to banking regulations such as GLBA by complying with the Information Systems provision in the Safeguards Rule of the law. Permanent data erasure helps organizations to erase non-public personal information (NPI) beyond any scope of recovery. Secure erasure thus prevents any unwanted exposure or breach as in the present Morgan Stanley case. In addition, tamper-free audit trails ensure that data was actually wiped and hence ensures compliance with GLBA regulations.
Growing data breach incidents underscore the fact that every organization must have reinforced and robust data protection and data security policies. Morgan Stanley data breach incidents bring data protection & privacy needs into the spotlight. They also reinforce the importance of secure and permanent erasure of data from the used devices before they are sent out to any third-party recycler. The only way to get rid of sensitive and unwanted data is to permanently wipe it beyond recovery. Due diligence in employing a professional data erasure solution could have helped Morgan Stanley circumvent the exposure of customer data both in the years 2016 and 2019.