Six Years Later, Data Breach Continues to Cost Morgan Stanley

Improper information technology asset disposition costs financial services provider tens of millions

Sixty million dollars. That’s how much Morgan Stanley, a global leader in financial services, agreed to pay to clients in January 2022 in a class action lawsuit for failing to safeguard their personal data. This $60 million settlement is in addition to $60 million the financial services giant already paid in civil fines in October 2020. Morgan Stanley can only hope the lawsuits end here as the data breach incident has cost them $120 million so far.

The data breach also tarnished the reputation of the wealth management service provider, who says on its website that “clients come first.” 

What happened with Morgan Stanley?

Morgan Stanley closed two wealth management data centers in 2016 decomissioning their computer equipment through an outsourced data wiping/overwriting vendor. The equipment stored client’s personal info, such as social security numbers, credit card numbers, and birth dates. The vendor failed to wipe the information completely from the retired hard drives before selling the equipment containing customer data to third parties. The security breach compromised personal information of 15 million current and former clients. The important lesson learned by Morgan Stanley and its service provider is that overwriting is not secure nor reliable. Learn more about the dangers of overwriting.

How can I prevent a Morgan Stanley incident?

The best way to prevent a Morgan Stanley data breach incident is to never let your media leave your custody until you have fully sanitized it of all data. Best practices for sanitizing retired media involve degaussing, destroying, and verifying the sanitization and destruction of the data in-house before the media leaves the walls of your facility.

There is a legal obligation for companies who collect customer data (banks, hospitals, health clinics, insurance brokers, etc.) to protect that data from the point of acquisition through to end-of-life. This obligation cannot be contractually transferred away. As Morgan Stanley found out the hard way, using an outsourced data vendor does not protect you nor your company from risk and liability.

How can degaussing prevent a data breach?

A degausser produces a magnetic field that erases the data on a hard drive in less than a second by overpowering the field of the drive with a stronger force. Once degaussed, the data is gone and is forensically unrecoverable. After degaussing, the media should be physically destroyed by bending, breaking, mangling, or shredding the media. Physically deforming the media discourages attempts to retrieve the data. Physical destruction also provides visual confirmation that the media is properly sanitized of all data and is ready for disposal.

“Proper ITAD (information technology asset disposition) can protect a company from lawsuits, financial losses, tarnished reputations and even criminal liability,” said Michelle Stofan, Garner Products Vice President. “Use a degausser to sanitize the media of all data before it leaves your facility. A relatively small investment now can have big payoffs in the long run and prevent physical breaches like Morgan Stanley’s.” 

Garner degaussers comprehensively destroy data on retired hard drives in seconds, saving your company from costly and embarrassing data breaches like Morgan Stanley’s