Morgan Stanley slapped with $6.5m fine for customer privacy breach

Morgan Stanley

Morgan Stanley recently faced a substantial security lapse leading to a $6.5m settlement that arose from the company’s negligent disposal of hardware.

According to Security Week, the hardware contained unencrypted personal information of millions of customers. This major oversight was highlighted by the Florida Attorney General’s Office following an investigation.

The investigation revealed that Morgan Stanley failed to properly erase unencrypted personal information on decommissioned devices. In a particularly glaring error, the company hired a moving company inexperienced in data-destruction services for decommissioning thousands of hard drives. This resulted in the sensitive consumer information being sold at internet auctions without Morgan Stanley’s knowledge. Further exacerbating the situation, a purchaser eventually discovered the data and alerted Morgan Stanley.

Additionally, the probe uncovered the loss of 42 servers containing potentially unencrypted customer information, attributed to a flaw in the encryption software provided by a manufacturer. The investigation also criticised Morgan Stanley for inadequate vendor controls and asset inventories, which could have otherwise mitigated the risk of data exposure.

As a corrective measure, Morgan Stanley has been mandated to implement several security enhancements. These include encrypting data both at rest and in transit, establishing comprehensive policies for data collection, use, retention, and disposal, and maintaining robust hardware tracking mechanisms. The company is also required to uphold an information security program, incident response plan, and a vendor risk assessment team.

Morgan Stanley’s commitment to these measures is crucial for regaining customer trust and upholding data security standards in the FinTech industry.

Copyright © 2023 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.