Problem of Incomplete Data Wiping

The Morgan Stanley Data Breach: The Problem of Incomplete Data Wiping

In 2016, Morgan Stanley, one of the world’s leading financial institutions, faced significant scrutiny and financial penalties due to a major data breach involving improperly discarded IT equipment. This breach serves as a stark reminder of the importance of proper data sanitization and the serious risks organizations face when decommissioned devices are not securely wiped or destroyed.

The Incident: How It Unfolded

Morgan Stanley’s data breach came to light when it was discovered that the firm had sold decommissioned hardware—without fully ensuring that the sensitive customer information stored on these devices had been permanently wiped. The equipment, which included servers and other IT assets, was resold to third-party recyclers between 2016 and 2019. The company had outsourced the data decommissioning process to an unnamed third-party vendor, believing that the devices had been properly sanitized.

However, it was later revealed that some of these devices still contained unencrypted personal data belonging to millions of Morgan Stanley customers. The data included sensitive financial information, such as account numbers, Social Security numbers, and other personally identifiable information (PII). The equipment ended up in the hands of recyclers who had access to this residual data.

While it was unclear if any of the exposed data was actively misused, the incident posed a significant security risk. Morgan Stanley's failure to implement rigorous data destruction procedures for decommissioned hardware opened the door to potential misuse by bad actors.

The Aftermath and Legal Consequences

The breach had serious repercussions. In 2020, the U.S. Office of the Comptroller of the Currency (OCC) fined Morgan Stanley $60 million for the mishandling of customer information. The fine was levied because Morgan Stanley failed to oversee the proper disposal of hardware that contained sensitive data and did not ensure that their third-party vendors followed strict data sanitization protocols. The fine was issued under the Gramm-Leach-Bliley Act (GLBA), which mandates that financial institutions must safeguard customer data and protect against potential breaches during the disposal process.

In addition to the OCC fine, the Securities and Exchange Commission (SEC) also launched an investigation into the incident, adding further pressure to the financial institution. Morgan Stanley ultimately settled the case with the SEC as well, although the financial terms of that settlement were not as heavily publicized as the OCC fine.

Lessons Learned from the Morgan Stanley Case

The Morgan Stanley case serves as a critical example of how data can remain vulnerable even when firms believe they have taken adequate precautions. There are several key lessons that businesses can learn from this case:

1. Thorough Oversight of Third-Party Vendors: While Morgan Stanley outsourced its decommissioning process, it remained legally responsible for the data that was compromised. This case underscores the importance of selecting third-party vendors that comply with strict data destruction standards and ensuring that these vendors follow through with the proper sanitization procedures.

2. Ensuring Data Sanitization Across All Devices: Simply deleting or overwriting data on a device is often not enough to guarantee that it cannot be recovered. With advanced forensic tools, data remnants can be retrieved unless devices are securely wiped using methods that comply with industry standards, such as multiple-pass overwriting or cryptographic erasure. In high-risk industries like finance, it is critical to use techniques such as physical destruction or degaussing to fully remove sensitive information before reselling or recycling hardware.

3. Regulatory Compliance and Proactive Measures: Morgan Stanley’s failure to adequately manage customer data during the disposal of equipment resulted in significant financial penalties. This case highlights the importance of businesses not only complying with relevant data privacy laws (such as GLBA in the U.S.) but also taking proactive measures to ensure that their data disposal processes are airtight.

4. The Cost of Incomplete Data Wiping: Beyond the legal and financial penalties, the Morgan Stanley breach resulted in a loss of trust from customers and damage to the firm’s reputation. In the era of data privacy, companies must demonstrate that they take all possible precautions to protect sensitive information, particularly when hardware reaches the end of its lifecycle.

Conclusion: Data Security Doesn't End at Encryption

The Morgan Stanley breach shows that encryption alone is not a silver bullet. Even if sensitive information is encrypted, poorly handled hardware disposal processes can expose data to bad actors. Organizations need to adopt comprehensive strategies for securely decommissioning equipment, including certified data wiping, physical destruction, and ongoing vendor oversight. As this case demonstrates, the financial and reputational consequences of failing to do so can be devastating.

For businesses today, particularly those in the financial sector, the Morgan Stanley case stands as a cautionary tale that data security doesn’t end at encryption—secure data disposal is just as critical.

NTERA can help to ensure that your company does not experience any data breaches like that of Morgan Stanley described here. By physically destroying your data containing media, data recovery is rendered impossible. NTERA recycles all shredded media in order to contain critical raw materials within Europe.

Sources:

1. Office of the Comptroller of the Currency Fines Morgan Stanley

2. Morgan Stanley Faces $60M Fine After Mishandling Customer Data

3. Why Overwriting is Not Enough to Erase Data

 Photo by Michael Discenza on Unsplash