Morgan Stanley Ordered to Pay $6.5 Million for Exposing Customer Information

Morgan Stanley Ordered to Pay $6.5 Million for Exposing Customer Information

November 20, 2023 at 09:33AM

Morgan Stanley has reached a $6.5 million settlement for mishandling and disposing of hardware containing unencrypted personal information. The investigation revealed that the company did not properly erase the data when decommissioning old devices and failed to monitor the actions of a moving company it hired. The company was also found to have inadequate vendor controls and asset inventories. As part of the settlement, Morgan Stanley must improve data security measures, including encryption and data disposal policies.

During the meeting, it was discussed that Morgan Stanley has agreed to a $6.5 million settlement after improperly disposing of hardware that contained unencrypted personal information. The Florida Attorney General’s Office stated that the multinational investment bank potentially exposed the personal information of millions of customers due to negligent internal data security practices.

Investigations revealed that Morgan Stanley did not properly erase unencrypted personal information on devices being decommissioned. They hired a moving company without experience in data-destruction services, which subsequently sold the computer equipment containing sensitive consumer information at internet auctions without the bank’s knowledge. The data was discovered by a downstream purchaser who contacted Morgan Stanley.

Furthermore, during another decommissioning process, the company found 42 missing servers that potentially contained unencrypted customer information. The investigation attributed the issue to a manufacturer flaw in the encryption software.

The investigation also highlighted that Morgan Stanley failed to implement proper vendor controls and asset inventories, which could have prevented the data exposure.

As part of the settlement agreement, Morgan Stanley will pay $6.5 million to the states of Florida, Connecticut, Indiana, New Jersey, New York, and Vermont. Additionally, the company is required to improve the security of personal information. Specific measures include encrypting data at rest and in transit, implementing a data collection, use, retention, and disposal policy, implementing tools to track hardware containing personal information, and maintaining an information security program, an incident response plan, and a vendor risk assessment team.

Full Article