The Securities and Exchange Commission has fined Morgan Stanley Smith Barney (MSSB) for failing to protect its customers' personal identifying information (PII) over a five-year period. The SEC claims that Morgan Stanley not only did not destroy its clients' personal data from hard drives set to be decommissioned but also hired unqualified companies to do so.
The SEC has discovered that Morgan Stanley did not properly dispose of storage devices containing its customers' PII dating as far back as 2015. The commission also found out that in several cases, Morgan Stanley contracted a "moving and storage company with no experience or expertise in data destruction services" to retire thousands of HDDs and servers containing the personal information of millions of its clients. Instead of destroying the drives and server, the company sold them to a third party, which sold them on an Internet auction.
Typically, companies dealing with sensitive data use hardware security modules (HSMs) such as Marvell's LiquidSecurity, self-encrypting drives (SED), or at least encrypt the data via software. Decommissioning a SED is a fast and easy process as it only requires erasing the encryption key from the drive. Morgan Stanley did not use SEDs and did not encrypt data on its servers, even though the latter supported such capability. Usually, decommissioning a server with unencrypted data requires erasing all the data and ensuring it is impossible to recover it, which in many cases includes the physical destruction of storage devices. Yet, MSSB's contractors did not do that, and MSSB did not properly monitor its work.