Updates on the Morgan Stanley Data Breach
October 28, 2022
By now, most readers have most likely heard of the Morgan Stanley Data Breach incident. The latest $35M fine from the SEC, on top of the $128.2M Morgan Stanley has already shelled out, is due to the breach of personal data of 15 million customers appearing on hard drives at an auction where the data was supposed to have been wiped.
What happened that fines are still being assessed and we are still talking about this mayhem?
Morgan Stanley originally hired the moving company, Triple Crown, in 2016 to decommission IT assets from two data centers. It was known that Triple Crown was strictly a moving company and not experienced with electronic data destruction. The contract identified an unnamed e-scrap management company that would sanitise the devices and resell them for a commission, with Morgan Stanley obtaining a cut. It’s become known that early on, Triple Crown stopped working with the unidentified company and began working with AnythingIT without Morgan Stanley’s knowledge. AnythingIT was sold the eletronics with data still on them, having been told by Triple Crown that they had already been wiped. They in turn resold these devises downstream to KruseCom, who either destroyed or sold them on an auction site.
Truly a story in passing the buck and a loss in accountability. Where is the certificate of destruction? Where is the vendor due diligence? There was none, which is why Morgan Stanley is paying dearly.
If you look-up AnythingIT today, you’ll note that they are NAID AAA Certified. There has been some confusion on if this third-party vendor who worked in the Morgan Stanley debactle was certified, how could all of this have happened? As you can see, 1) they were given misinformation and not contracted to do the actual data wiping, AND 2) at the time of them being contracted they were not yet NAID AAA Certified. Since this incident, AnythingIT has become NAID AAA Certified and shown that they in fact DO robust quality best practices, even submitting to unannounced audits.
There are many lessons learned through this incident for everyone, clients and service providers alike.
Morgan Stanley did not take the correct precautions to ensure they hired a reputable service provider, such as a NAID AAA Certified company who would have had rigorous guidelines in place for wiping the hard drives. And it seems that service provider to service provider contracts may have been lacking as well regrading the goods being transferred (do you have language in place when you take acquisition of assets without destroying it?).