Morgan Stanley investment bank must pay a whopping $60 million fine for failing to properly decommission multiple business data centers that stored sensitive customer information, the Office of the Comptroller of the Currency (OCC) announced earlier this month.
According to a civil penalty consent order, the oversights in handling the retirement of the data centers began in 2016. However, similar shortcomings were observed in 2019, when the bank failed to properly dispose of customer data stored on computer servers at a local branch.
“In 2016, the Bank failed to exercise proper oversight of the decommissioning of two Wealth Management business data centers located in the US,” The OCC said.
“In connection with the decommissioning, the Bank, among other things, failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third-party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices. The Bank failed to exercise adequate due diligence in selecting the third party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance.”
A $5 million class-action lawsuit on behalf of about 100 customers was also filed against the bank earlier this year.
The lawsuit claims Morgan Stanley failed to secure and safeguard personal identifiable information on previously decommissioned company-owned equipment. Additionally, the bank doesn’t know the whereabouts of the retired equipment that stored unencrypted customer data, such as Social Security numbers, passport numbers, addresses, telephone numbers, email addresses, account numbers, dates of birth, income, asset value and holding information.
“Plaintiff brings this class action against Morgan Stanley for its failure to properly secure and safeguard personal identifiable information,” a class action complaint reads. “Plaintiff also alleges Defendant failed to provide timely, accurate, and adequate notice to Plaintiff and similarly situated Morgan Stanley current and former customers (“Class Members”) that their PII had been lost and precisely what types of information was unencrypted and in the possession of unknown third parties.”
Data breaches don’t necessarily stem from a malicious actor or intrusions on a company network. Although data mismanagement is often attributed to errors on the part of IT, employee behavior and carelessness of third-party vendors are as much to blame for exposing data.