The Incident: How It Unfolded
Some devices still contained unencrypted personal data belonging to millions of Morgan Stanley customers — account numbers, Social Security numbers, and other PII. Morgan Stanley had outsourced the data decommissioning process to an unnamed third-party vendor, believing the devices had been properly sanitised.
The Aftermath and Legal Consequences
In 2020, the U.S. Office of the Comptroller of the Currency (OCC) fined Morgan Stanley $60 million for the mishandling of customer information under the Gramm-Leach-Bliley Act (GLBA). The Securities and Exchange Commission (SEC) also launched an investigation, and Morgan Stanley ultimately settled that case as well.
Lessons Learned
- Thorough Oversight of Third-Party Vendors: Morgan Stanley remained legally responsible for data compromised through its vendor.
- Ensuring Data Sanitisation Across All Devices: Simply deleting or overwriting data is often not enough to guarantee it cannot be recovered.
- Regulatory Compliance and Proactive Measures: Companies must comply with relevant data privacy laws and take proactive measures.
- The Cost of Incomplete Data Wiping: Beyond financial penalties, the breach resulted in a loss of customer trust and reputational damage.
Conclusion
The Morgan Stanley case is a cautionary tale that data security doesn't end at encryption — secure data disposal is just as critical. NTERA can help ensure your company does not experience similar breaches by physically destroying your data-containing media.