$35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned

Morgan Stanley agreed to pay the SEC a $35 million penalty for data security that included unencrypted hard drives from decommissioned data centers being sold on eBay without first being wiped.

The SEC action said that the improper disposal of thousands of hard drives starting in 2016 was part of an "extensive failure" to safeguard customers' data. The agency said that the failures included the improper disposal of hard drives and backups. The data for 15 million customers was exposed.

"Astonishing failures"

The director of the SEC's enforcement division used the initials for Morgan Stanley Smith Barney to describe the firm's failures. Customersentrusting their personal information to financial professionals with the understanding and expectation that it will be protected, and MSMB fell woefully short in that regard.

The failure was caused by the hiring of a moving company with no experience or expertise in data destruction services to decommission thousands of hard drives. The moving company received 53 RAID array that collectively held about 1,000 hard drives, and it also removed about 8,000 backup tapes from a Morgan Stanley data center.


The moving company hired an IT specialist to wipe or destroy any sensitive data on the drives. The storage devices were sold to a company that in turn sold them to an auction house. Morgan Stanley did not vet the new company or approve it as a contractor or Subcontractor in the project.

Morgan Stanley officials got an email from an IT consultant in Oklahoma telling them that hard drives he purchased from an online auction site contained Morgan Stanley data.

In a complaint, SEC officials wrote that a consultant told them that a major financial institution should follow strict guidelines when dealing with retiring hardware. It would be great if you could get some kind of verification of data destruction from the vendors you sell equipment to. The consultant had the hard drives.

The SEC action said that many of the storage devices didn't have an option toEncrypt. Only new data was protected after the investment firm began using the options. There was a flaw in the vendor's product that caused data to be incomplete.

Morgan Stanley agreed to pay a $35 million penalty without admitting or denying the SEC claims.

Morgan Stanley officials said they were pleased to be resolving the issue. We have not found any unauthorized access to, or misuse of, personal client information after notifying applicable clients.