Morgan Stanley Bank has been given a 60 million dollar fine for failing to protect personal data during the decommissioning of company servers. In 2016, the bank decommissioned two data centers that were used for its wealth management business. They completed this task with the help of a third-party company that was in charge of ensuring all personal data was removed from the servers. During the entire process, the proper security protocols were not followed.
Breakdown of Lapse in Security
The fine that was issued by the Office of the Comptroller of the Currency (OCC) was accompanied by a report, which outlined the failures on the part of the bank:
- Failure to effectively assess/address the risks associated with the decommissioning of hardware
- Failure to assess the risk of using third party vendors
- Failure to maintain an appropriate inventory of customer data on the devices
The result of these mishaps and the company’s failure to oversee the third party that performed the work was a $60 million civil money penalty which must be paid to the US Treasury.
Effects of the Mishandling on Customers
While Morgan Stanely claims that they don’t believe any customer data was accessed or misused, customers of the bank still filed a lawsuit against the company. The suit claimed that the bank failed to protect personally identifiable information (PII) when getting rid of their equipment.
The potential data that could have been exposed includes account numbers, social security numbers, passport numbers, date of birth, and asset value and holdings data. In response to the lawsuit, Morgan Stanley offered the victims two years of prepaid credit monitoring services. A spokesperson from the bank claimed that they are taking all the necessary steps to remedy the deficiencies in their operations.
Protecting Personal Data at all Costs
Before data can be protected, it must first be properly assessed. One attorney not involved with the case said that the problem the bank had was that it did not take stock of the data they had to figure out how to best protect it. Without knowing what is at risk, there will be little motivation to protect it. Once companies of any size understand how valuable PII and other corporate data is, they will be more inclined to take the steps to protect that information.
The SecureDrives are hardware encrypted storage devices that are FIPS 140-2 Level 3 Validated for total security. Since the drives are not connected through the internet, they are immune to cyber attacks and even come preloaded with antivirus protection. Financial institutions as well as other corporate entities can easily implement this type of storage in their operations to protect both internal and customer data. The SecureDrive BT can be remotely managed for an admin to determine when and where the drive can be accessed. There’s even an Access Log to see all drive activity.