The 2016 Morgan Stanley Data Breach: Lessons in EOL Data Security

Image of glowing padlock for EOL data security awareness, related to the 2016 Morgan Stanley data breach.

One year ago, on September 20, 2022, the Securities and Exchange Commission (SEC) imposed a
hefty $35 million fine on Morgan Stanley.

In a sobering reminder of the critical importance of safeguarding customer information, Morgan Stanley found itself at the center of a major data breach incident in 2016. The breach, which occurred in June 2016 exposed the personal data of a staggering 15 million customers due to a chain of errors that led to unauthorized access to sensitive information.

The breach was a watershed event that served as a stark reminder of the critical importance of End-of-Life (EOL) data security. The incident not only exposed sensitive personal identifiable information but shook the foundations of trust in the financial industry and left Morgan Stanley reeling from recurring financial repercussions.

This blog post will delve into lessons learned in the aftermath of the breach, including the impact of losing customer trust, a damaged reputation, and underscore the significance of proper EOL data destruction.

A Brief Overview

The 2016 data breach began when Morgan Stanley engaged the services of Triple Crown, a moving and storage company, to decommission IT assets from two data centers. The Securities and Exchange Commission (SEC) noted that Triple Crown gravely lacked the necessary expertise in data destruction, resulting in a failure to properly sanitize the EOL hard drives before offloading them to a third party. These improperly sanitized hard drives still containing privileged customer financial data eventually found their way to an auction site where they were snapped up by third parties.

The data breach remained undetected until July 2017, when one of the third parties in possession of the compromised hard drives reached out to Morgan Stanley. The financial institution then notified both the affected customers and the SEC of the breach.

The consequences of this breach were substantial. On September 20, 2022, the SEC imposed a hefty $35 million fine on Morgan Stanley. The regulatory body determined that the financial giant had fallen short in several critical areas:

  1. Inadequate Policies and Procedures: Morgan Stanley had failed to establish and enforce sufficient policies and procedures for the proper disposal of customer information.
  2. Service Provider Oversight: The institution neglected to effectively monitor its service providers, ensuring that they adhered to proper customer information disposal practices.
  3. Due Diligence Lapse: The company also came short in conducting thorough due diligence on Triple Crown, the moving and storage company tasked with disposing of the sensitive devices.

In 2019, Morgan Stanley once again came under the spotlight. The bank disconnected and retired 500 servers from various local branch offices around the country but later determined that it could not account for some of the devices that contained unencrypted data before being sold to a third party.

As a result of the 2016 and 2019 data management failures, Morgan Stanley was then slapped with a massive $60 million fine by the Office of the Comptroller of the Current (OCC) in October 2020, and another $60 million class action lawsuit settlement in January 2022.

Lessons Learned

The incidents surrounding Morgan Stanley’s data breaches in 2016 and 2019 serve as stark reminders of the far-reaching consequences that can stem from inadequate and improper EOL data management practices. It is imperative for industry leaders and businesses to learn from past oversights and fortify their EOL data management strategies to navigate an increasingly complex and interconnected data security landscape.

2016 Morgan Stanley Data Breach: Lessons in EOL Data Security. Image of text listing lessons learned, prohibiting media containing data from leaving controlled facilities, in-house data destruction matters, and verifiable data destruction is paramount.

Lesson 1: Prohibit Media Containing Data from Leaving Controlled Facilities

No EOL storage media should ever leave a facility or be released to a third-party vendor without undergoing an in-house data destruction process. The sole responsibility for upholding the security and confidentiality of all sensitive data lies with the data collector in perpetuity. Morgan Stanley as the collector of data was held fully accountable and liable for the 2016 and 2019 data breaches despite engaging a third-party vendor to manage its EOL assets.

Lesson 2: The Importance of In-House Data Destruction

The Morgan Stanley data breach highlighted the critical significance of establishing a robust in-house EOL data destruction process.

A pivotal component of this process is degaussing, a method that employs a powerful magnetic field to irrevocably erase the magnetic properties of hard disk drives (HDD). Proper degaussing is the only method that can guarantee the complete destruction of 100% of HDD data. The credibility of degaussing is attested by its meticulous alignment with the stringent security requirements of the National Security Agency (NSA) and Department of Defense (DOD). When dealing with solid-state drives, the imperative lies in subjecting the SDDs to the proper physical destruction of their flash memory chips, thereby rendering data recovery impossible.

Recommended Read: What is degaussing?

View Garner Products’ full line of in-house data destruction products.

By adopting and implementing a comprehensive in-house data destruction policy, organizations can tailor their data destruction practices to align with their specific security protocols, ensuring compliance with industry standards and regulations, enhancing security, maintaining control, and achieving ultimate efficiency in EOL data privacy.

Lesson 3: Verifiable Data Destruction is Paramount

The importance of data destruction verification and documentation was reinforced by Morgan Stanley data breaches. Organizations must establish procedures to confirm and document the successful data destruction of EOL storage media. This verification process provides accountability and creates an audit trail, essential for regulatory compliance and due diligence in data protection efforts. If Morgan Stanley had used an IRONCLAD Destruction Verification System-compatible device to degauss the drives in-house before releasing the drives to a third-party ITAD vendor, they would have possessed concrete documentary evidence demonstrating the thorough degaussing process that eliminates all HDD data. Morgan Stanley would then be at zero risk of data breaches and the subsequent financial implications.

Recommended Read: What is IRONCLAD?

Reliability and Trust

The ramifications of a company losing customer trust can be profound and far-reaching. In the case of Morgan Stanley, Gurbir S. Grewal, Director of the SEC’s Enforcement Division acknowledged in 2022 that, “[c]ustomers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and Morgan Stanley fell woefully short in doing so.”


Looking back, the 2016 Morgan Stanley data breach stands as a stark cautionary tale of the crucial significance of robust End-of-Life (EOL) data security practices. The incident serves as an example of the potentially far-reaching consequences stemming from inadequate EOL data management, encompassing not only the erosion of customer trust but also the imposition of financial penalties and reputational damage.

The subsequent data breach in 2019 further underscores the necessity of heeding the lessons embedded within these incidents. By prioritizing secure data handling, implementing effective in-house data destruction measures, and adhering to rigorous verifiable data destruction protocols, organizations can proactively safeguard their sensitive data and maintain the integrity of their customer relationships.

Find out more about Garner Products’ Verifiable Data Destruction.

About Garner Products

Garner Products designs and manufactures premium equipment that delivers complete, permanent, and verifiable data destruction. For over 60 years, Garner has provided the education, systems, and support that enable customers worldwide in all industries to securely destroy data.