OCC: Financial Giant Neglected to Properly Decommission Legacy Equipment
Multinational banking giant Morgan Stanley has agreed to a $60 million settlement for a class-action lawsuit to resolve a data exposure incident dating back to 2016.
Authorities say personally identifiable information was exposed after Morgan Stanley used a third-party service provider that failed to ensure all personal data was completely removed from IT equipment after two data centers were decommissioned in 2016. The U.S. Office of the Comptroller of the Currency also stated that in 2019, Morgan Stanley again neglected to retire network devices at a local branch.
Morgan Stanley sold the legacy systems, which still had unencrypted data that had not been completely wiped from the systems, to third parties. Later, the bank notified its clients that the PII was still accessible through the systems before the equipment was sold.
The OCC later fined the company $60 million for failure to maintain an appropriate inventory of the customer data stored on the hardware in question; failure to recognize potential risks of a data breach; and failure to properly assess the potential data breach risks associated with third-party subcontractors, according to the OCC.
The separate class action settlement was filed in the U.S. District Court for the Southern District of New York and would allow class members to claim up to $10,000 in reimbursement and at least 24 months of fraud insurance. The settlement awaits approval by a U.S. district court judge, according to Reuters .
In addition, Morgan Stanley will bear the administration costs associated with the settlement and commits to locating any other missing technology, according to court filings.
Data exposed in the 2016 and 2019 incidents reportedly includes customer names, addresses, account information, Social Security numbers, dates of birth, credit card numbers, and other PII, court papers indicate. The firm began informing its customers about the breach risks in July 2020.
According to the court documents, Morgan Stanley has already “made substantial changes” to its data security practices.
A spokesperson for Morgan Stanley declined to further elaborate on security measures put in place as a result of the lawsuit.
“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation,” the spokesperson tells ISMG.
‘Left Holding the Bag’
In court documents filed in 2020, the OCC specified that Morgan Stanley created a data exposure risk for customers when it failed to provide the proper oversight to the third-party vendor retiring the IT equipment, and did not execute proper due diligence.
In total, Morgan Stanley will potentially pay more than $120 million in fines – through the penalty assessed by the OCC and the establishment of the proposed $60 million fund – illustrating the high costs around compliance when it comes to potential data breach risks.
John Michener, chief scientist at cybersecurity firm Casaba Security, says that due to the bank’s inability to adhere to sound regulatory processes, it has paid the price – with potential penalties climbing past $100 million.
“If you are not following best practices and a customer gets hit, you are probably left holding the bag,” says Michener.
Alex Hamerstone, director of advisory solutions at the firm TrustedSec, says the outcome of the lawsuit puts financial institutions on notice if they choose not to follow “basic information security practices.” Ultimately, he says, they will be held accountable.
“[The lawsuit] is also a good reminder for organizations to audit their own processes, whether using internal or external audit resources, to ensure that they are being followed,” Hamerstone tells ISMG.
Chris Pierson, a former special government employee on the DHS’s Cybersecurity Subcommittee and Privacy Committee and currently CEO of BlackCloak, also advises financial institutions to audit internal practices yearly, and to take the following steps:
- Encrypt data at rest to likely avoid these exposure risks;
- Pay attention to physical assets, not strictly data stored on the cloud;
- Ensure processes remain effective in avoiding potential data breaches.
Wipe Data or Destroy Device?
Some experts say the decommissioning process itself has evolved – and simply “wiping” stored data no longer suffices.
Casaba Security’s Michener says that standard practice for organizations decommissioning devices and hardware with sensitive information is to shred or destroy it. Wiping hard drives and servers is no longer sufficient because “blocks may have been remapped out of working volume,” he says.
“Twenty years ago, wiping the data would have been adequate in the commercial world, but the attacks get better over time, and organizations need to update their practices and policies to reflect those changes,” Michener says.
Some organizations decide not to destroy equipment based on environmental concerns, a desire to reuse as not to be wasteful, and also “do not want to throw money away by destroying equipment that can be sold,” says TrustedSec’s Hamerstone, who says this kind of incident is “highly preventable.”
“It would be shocking if Morgan Stanley didn’t have policies in place to address end-of-life equipment, but it seems in this case they didn’t follow any policies in place,” he states.