Morgan Stanley has been in a whirlwind of public outcry and class-action lawsuits since its official disclosure and notification of two separate data breach incidents in July 2020.
These notifications concerning the incidents dating back to 2016 and 2019 have attracted two class-action lawsuits [so far] filed by more than 100 members. One of these lawsuits seeks $5 million in damages in lieu of unauthorized disclosure of the customers’ PII & historical data to unknown third parties.
And now, in October 2020, the banking behemoth has been issued with a notice of $60 million civil money penalty by the United States Office of the Comptroller of the Currency (OCC).
The OCC finds that in 2016, Morgan Stanley failed to adequately address the data privacy risks associated with decommissioning of its data centers, failed to evaluate the risks associated with third-party vendors, and failed to maintain an appropriate inventory of customer data stored on the devices. The federal bureau further notes that in 2019 the bank again experienced similar inadequacies in vendor management concerning the decommissioning of its servers.
The notice states that “by reason of the foregoing conduct, the Bank was in noncompliance with 12 C.F.R. Part 30, Appendix B – Interagency Guidelines Establishing Information Security Standards – and engaged in unsafe or unsound practices that were part of a pattern of misconduct.”
The first incident involves the decommissioning of the bank’s two data centers in 2016 without the appropriate due diligence in monitoring the third-party vendor contracted for wiping the customer’s data. The vendor had allegedly failed to wipe (erase) the complete data from the servers and other hardware of the data centers before selling it to the recyclers.
Morgan Stanley came to know of the residual data’s existence on the disposed of storage hardware much later in 2019 through a recycler. Also, the banking firm didn’t have any documented record or trail that could attest to the wiping (erasure) of data from the decommissioned servers.
In the second incident in 2019, a few decommissioned servers at one of Morgan Stanley’s local branches went missing from the inventory. The missing servers’ hard disks were left with a portion of the customers’ deleted data in an unencrypted form — later attributed to a software flaw. This data was accessible to whosoever was in possession of the missing servers.
The two incidents potentially exposed the current and former customers’ sensitive data to an unauthorized third party with a “lifetime risk of identity theft”— as stated by the lawyers representing two of the plaintiffs. The notification letter, sent by Morgan Stanley to the California attorney general, states that the exposed data may comprise customers’ PII, such as account names and numbers, social security number, passport number, contact information, date of birth, etc.
The following aspects standout as the root cause of these data leakage incidents:
Morgan Stanley’s situation stems from the fact that the data wiping jobs were outsourced to a third party vendor— bringing forth the aspect of “due diligence” into the picture and subsequent lapses in process efficacy and documentation.
Adoption of a professional data erasure software tool could have helped the bank preempt the situation in several ways, as follows:
Ramping up of organizations’ data protection policies and practices in tandem with the global regulations is an area that needs more diligent and thoughtful effort. The surfeit of data breach incidents with their ever-growing scale of impact over the decade underscores this fact. The presence of chance “residual data” in storage hardware is a crucial reason for data privacy violation aside from the scenarios involving the hacking of a system (device, storage, network, etc.) to breach information.
The only way to “eradicate” the sensitive, unwanted data is to erase it such that no tool or technique can retrieve it. Data erasure technology enables this solution using professional software tools. Aside from the assurance of wiping through systematic implementation and certified records, data erasure also nullifies the incidental risks emerging from factors like missing hardware, failed encryption, and vendor mismanagement. The time has arrived for a wide-scale (global) adoption of data erasure technology, and it is now.