Morgan Stanley has been in a
whirlwind of public outcry and class-action lawsuits since its official disclosure
and notification of two separate data breach incidents in July 2020.
These notifications concerning the incidents dating back to 2016 and 2019 have attracted two class-action lawsuits [so far] filed by more than 100 members. One of these lawsuits seeks $5 million in damages in lieu of unauthorized disclosure of the customers’ PII & historical data to unknown third parties.
now, in October 2020, the banking behemoth has been issued with a notice of $60
million civil money penalty by the United States Office of the
Comptroller of the Currency (OCC).
The OCC finds that in 2016, Morgan
Stanley failed to adequately address the data privacy risks associated with
decommissioning of its data centers, failed to evaluate the risks associated
with third-party vendors, and failed to maintain an appropriate inventory of
customer data stored on the devices. The federal bureau further notes that in
2019 the bank again experienced similar inadequacies in vendor management
concerning the decommissioning of its servers.
The notice states that “by
reason of the foregoing conduct, the Bank was in noncompliance with 12 C.F.R.
Part 30, Appendix B – Interagency Guidelines Establishing Information Security
Standards – and engaged in unsafe or unsound practices that were part of a
pattern of misconduct.”
of the Data breach Incidents
The first incident involves the
decommissioning of the bank’s two data centers in 2016 without the appropriate due
diligence in monitoring the third-party vendor contracted for wiping the customer’s
data. The vendor had allegedly failed to wipe (erase) the complete data from
the servers and other hardware of the data centers before selling it to the
Morgan Stanley came to know of
the residual data’s existence on the disposed of storage hardware much later in
2019 through a recycler. Also, the banking firm didn’t have any documented
record or trail that could attest to the wiping (erasure) of data from the decommissioned
In the second incident in
2019, a few decommissioned servers at one of Morgan Stanley’s local branches
went missing from the inventory. The missing servers’ hard disks were left with
a portion of the customers’ deleted data in an unencrypted form — later
attributed to a software flaw. This data was accessible to whosoever was in
possession of the missing servers.
The two incidents potentially exposed
the current and former customers’ sensitive data to an unauthorized third party
with a “lifetime risk of identity theft”— as stated by the lawyers representing
two of the plaintiffs. The notification
letter, sent by Morgan Stanley to the California attorney general,
states that the exposed data may comprise customers’ PII, such as account names
and numbers, social security number, passport number, contact information, date
of birth, etc.
Lapses at the
Heart of the Incidents
following aspects standout as the root cause of these data leakage incidents:
- Inadequate diligence in supervising the contracted vendor
As per Morgan Stanley’s official disclosure, the vendor failed to remove the complete data from the devices retired in 2016— a matter that came into the bank’s cognizance several years later through a recycler in 2019. This information indicates a lapse in supervision of the contracted data wiping job and its outcome vis-à-vis the data protection regulatory standards.
- Absence of documented records for the wiped hardware
The absence of systematic documentation is another conspicuous gap in the due diligence concerning the outsourced data wiping jobs. The availability of data wiping records for the servers could have helped the bank to serve the audit trails and attain regulatory compliance. The vendor didn’t seem to have provided a record of data wiping that could attest to the job’s completeness and efficacy in line with the information security standards.
- Technical lapses in the data destruction strategy
The 2019 incident involves the presence of some unencrypted data in the missing servers due to a software flaw — a fact that came into light after the software manufacturer apprised Morgan Stanley of the glitch. It seems that the data encryption technology in place failed to sufficiently meet the goal of information protection, as it couldn’t protect the unwiped data from exposure.
Data Erasure Solution Could Have Spared the Trouble
Morgan Stanley’s situation stems
from the fact that the data wiping jobs were outsourced to a third party
vendor— bringing forth the aspect of “due diligence” into the picture and
subsequent lapses in process efficacy
Adoption of a professional
data erasure software tool could have helped the bank preempt the situation in
several ways, as follows:
data erasure software such as BitRaser Drive Eraser provides a D-I-Y utility to
facilitate in-house (i.e., on-premises) wiping of the legacy storage media with
no or minimal technical assistance. The IT asset management team at Morgan
Stanley could use the software to wipe the hard drives without needing a particular
For example, BitRaser Drive Eraser doesn’t even need installation; it boots into the computer system via a USB flash drive and wipes clean an entire hard drive, including all the addressable memory locations, in about 20 minutes.
Further, the drives wiped using a professional data erasure software can be released to the hardware reseller or e-recycler for subsequent processing without worrying about unpleasant surprises like data leakage. The custodian organization can even reassign the wiped drives to a third party vendor for further sanitization, if the policy demands so, without apprehension of lapses in due diligence and vendor supervision.
- A professional data erasure software can generate a digital report for every wiped hard drive or device. The availability of such systematic digital reports could serve as a documented trail of the wiping records for every data-bearing device released from the bank’s custody.
For example, BitRaser Drive Eraser generates a “tamper-proof” digital report and certificate for every data erasure task and uploads those documents on a secure cloud account. These globally accessible reports provide an immutable and legit track record to help any organization attain failsafe compliance with the regulatory mandates.
- A data erasure software can reinforce the existing information protection policies and practices in an organization by enabling permanent & failsafe removal of the redundant, sensitive data from the storage media. Professional software such as BitRaser Drive Eraser can erase the data as per the leading global standards such as DoD 5220.22-M and NIST 800-88. The software ensures that the wiped data is destroyed beyond the recovery scope and cannot be retrieved using any tool or technique. A certified and accredited data erasure tool thus guarantees total protection from data leakage or exposure.
A data erasure tool can also complement other data protection technologies like encryption by nullifying potential data vulnerabilities due to a technical glitch. For example, formal inclusion of “erasure” in the data protection policy can protect the data from exposure even if left out in an unencrypted state due to a software flaw or human error. Data erasure could have helped Morgan Stanley circumvent the exposure of unencrypted customer data in the 2019 incident.
In a Nutshell
up of organizations’ data protection policies and practices in tandem with the
global regulations is an area that needs more diligent and thoughtful effort.
The surfeit of data breach incidents with their ever-growing scale of impact
over the decade underscores this fact. The presence of chance “residual data” in storage hardware is a crucial reason for
data privacy violation aside from the scenarios involving the hacking of a
system (device, storage, network, etc.) to breach information.
only way to “eradicate” the sensitive, unwanted data is to erase it such that
no tool or technique can retrieve it. Data erasure technology enables this
solution using professional software tools. Aside from the assurance of wiping
through systematic implementation and certified records, data erasure also
nullifies the incidental risks emerging from factors like missing hardware, failed encryption, and vendor mismanagement. The
time has arrived for a wide-scale (global) adoption of data erasure technology,
and it is now.