Morgan Stanley to Shell Out $60 Million for Lapses in Data Protection

Morgan Stanley has been in a whirlwind of public outcry and class-action lawsuits since its official disclosure and notification of two separate data breach incidents in July 2020.

These notifications concerning the incidents dating back to 2016 and 2019 have attracted two class-action lawsuits [so far] filed by more than 100 members. One of these lawsuits seeks $5 million in damages in lieu of unauthorized disclosure of the customers’ PII & historical data to unknown third parties.

And now, in October 2020, the banking behemoth has been issued with a notice of $60 million civil money penalty by the United States Office of the Comptroller of the Currency (OCC).

The OCC finds that in 2016, Morgan Stanley failed to adequately address the data privacy risks associated with decommissioning of its data centers, failed to evaluate the risks associated with third-party vendors, and failed to maintain an appropriate inventory of customer data stored on the devices. The federal bureau further notes that in 2019 the bank again experienced similar inadequacies in vendor management concerning the decommissioning of its servers.

The notice states that “by reason of the foregoing conduct, the Bank was in noncompliance with 12 C.F.R. Part 30, Appendix B – Interagency Guidelines Establishing Information Security Standards – and engaged in unsafe or unsound practices that were part of a pattern of misconduct.”

The first incident involves the decommissioning of the bank’s two data centers in 2016 without the appropriate due diligence in monitoring the third-party vendor contracted for wiping the customer’s data. The vendor had allegedly failed to wipe (erase) the complete data from the servers and other hardware of the data centers before selling it to the recyclers.

Morgan Stanley came to know of the residual data’s existence on the disposed of storage hardware much later in 2019 through a recycler. Also, the banking firm didn’t have any documented record or trail that could attest to the wiping (erasure) of data from the decommissioned servers.

In the second incident in 2019, a few decommissioned servers at one of Morgan Stanley’s local branches went missing from the inventory. The missing servers’ hard disks were left with a portion of the customers’ deleted data in an unencrypted form — later attributed to a software flaw. This data was accessible to whosoever was in possession of the missing servers.

The two incidents potentially exposed the current and former customers’ sensitive data to an unauthorized third party with a “lifetime risk of identity theft”— as stated by the lawyers representing two of the plaintiffs. The notification letter, sent by Morgan Stanley to the California attorney general, states that the exposed data may comprise customers’ PII, such as account names and numbers, social security number, passport number, contact information, date of birth, etc.

The following aspects standout as the root cause of these data leakage incidents:

1. Inadequate diligence in supervising the contracted vendor
   As per Morgan Stanley’s official disclosure, the vendor failed to remove the complete data from the devices retired in 2016— a matter that came into the bank’s cognizance several years later through a recycler in 2019. This information indicates a lapse in supervision of the contracted data wiping job and its outcome vis-à-vis the data protection regulatory standards.
2. Absence of documented records for the wiped hardwareThe absence of systematic documentation is another conspicuous gap in the due diligence concerning the outsourced data wiping jobs. The availability of data wiping records for the servers could have helped the bank to serve the audit trails and attain regulatory compliance. The vendor didn’t seem to have provided a record of data wiping that could attest to the job’s completeness and efficacy in line with the information security standards.
3. Technical lapses in the data destruction strategy
   The 2019 incident involves the presence of some unencrypted data in the missing servers due to a software flaw — a fact that came into light after the software manufacturer apprised Morgan Stanley of the glitch. It seems that the data encryption technology in place failed to sufficiently meet the goal of information protection, as it couldn’t protect the unwiped data from exposure.

Morgan Stanley’s situation stems from the fact that the data wiping jobs were outsourced to a third party vendor— bringing forth the aspect of “due diligence” into the picture and subsequent lapses in process efficacy and documentation.

Adoption of a professional data erasure software tool could have helped the bank preempt the situation in several ways, as follows:

• Modern data erasure software such as BitRaser Drive Eraser provides a D-I-Y utility to facilitate in-house (i.e., on-premises) wiping of the legacy storage media with no or minimal technical assistance. The IT asset management team at Morgan Stanley could use the software to wipe the hard drives without needing a particular setup.
  
  For example, BitRaser Drive Eraser doesn’t even need installation; it boots into the computer system via a USB flash drive and wipes clean an entire hard drive, including all the addressable memory locations, in about 20 minutes.
  
  Further, the drives wiped using a professional data erasure software can be released to the hardware reseller or e-recycler for subsequent processing without worrying about unpleasant surprises like data leakage. The custodian organization can even reassign the wiped drives to a third party vendor for further sanitization, if the policy demands so, without apprehension of lapses in due diligence and vendor supervision.

• A professional data erasure software can generate a digital report for every wiped hard drive or device. The availability of such systematic digital reports could serve as a documented trail of the wiping records for every data-bearing device released from the bank’s custody.
  
  For example, BitRaser Drive Eraser generates a “tamper-proof” digital report and certificate for every data erasure task and uploads those documents on a secure cloud account. These globally accessible reports provide an immutable and legit track record to help any organization attain failsafe compliance with the regulatory mandates.

• A data erasure software can reinforce the existing information protection policies and practices in an organization by enabling permanent & failsafe removal of the redundant, sensitive data from the storage media. Professional software such as BitRaser Drive Eraser can erase the data as per the leading global standards such as DoD 5220.22-M and NIST 800-88. The software ensures that the wiped data is destroyed beyond the recovery scope and cannot be retrieved using any tool or technique. A certified and accredited data erasure tool thus guarantees total protection from data leakage or exposure.
  
  A data erasure tool can also complement other data protection technologies like encryption by nullifying potential data vulnerabilities due to a technical glitch. For example, formal inclusion of “erasure” in the data protection policy can protect the data from exposure even if left out in an unencrypted state due to a software flaw or human error. Data erasure could have helped Morgan Stanley circumvent the exposure of unencrypted customer data in the 2019 incident.

In a Nutshell

Ramping up of organizations’ data protection policies and practices in tandem with the global regulations is an area that needs more diligent and thoughtful effort. The surfeit of data breach incidents with their ever-growing scale of impact over the decade underscores this fact. The presence of chance “residual data” in storage hardware is a crucial reason for data privacy violation aside from the scenarios involving the hacking of a system (device, storage, network, etc.) to breach information.

The only way to “eradicate” the sensitive, unwanted data is to erase it such that no tool or technique can retrieve it. Data erasure technology enables this solution using professional software tools. Aside from the assurance of wiping through systematic implementation and certified records, data erasure also nullifies the incidental risks emerging from factors like missing hardware, failed encryption, and vendor mismanagement. The time has arrived for a wide-scale (global) adoption of data erasure technology, and it is now.

About The Author

Pravin

Pravin Mehta is a Sr. Content Specialist with more than 14 years in Information Technology and services industry. He has contributed opinion posts and technology articles to multiple media sites globally. He served as the Content Lead for Microsoft India web properties in the recent past.