American financial services giant Morgan Stanley agreed to pay the Securities and Exchange Commission (SEC) a $35m penalty on Tuesday over data security lapses.
According to the SEC's complaint, the firm would have allowed roughly 1000 unencrypted hard drives (HDDs) and about 8000 backup tapes from decommissioned data centers to be resold on auction sites without first being wiped.
The improper disposal of the devices reportedly started in 2016 and per the SEC complaint, was part of an "extensive failure" that exposed 15 million customers' data.
In fact, instead of destroying the hard drives or employing an internal IT team to erase them, Morgan Stanley would have contracted an unnamed third–party moving company with allegedly no experience in decommissioning storage media to take care of the hardware.
The moving company initially subcontracted an IT firm to wipe the drives, but their business relationship went sour, so the mover started selling the storage devices to another firm that auctioned them online without erasing them.
"This is an astonishing security mistake by one of the world's most prestigious banks, who would be expected to have well–established procedures in system life cycle management," Jordan Schroeder, managing CISO at Barrier Networks, told Infosecurity Magazine.
"Not only does the situation mean that the bank put customer data at risk, but it also demonstrates the organization was not following an expected policy which explained the secure disposing of IT equipment."
The events first came to light after an IT professional from Oklahoma spotted some of the hard drives online in 2017 and emailed Morgan Stanley about it. Upon being notified, the company then bought back all the HDDs the consultant had in his possession.
Fast forward to today, Morgan Stanley agreed to pay the fine without admitting guilt or wrongdoing. The company also reportedly told The Business Standard that there is no indication that any customers were affected.
"Other businesses must use this case as an example of why it is critical to have processes in place on how to properly dispose of IT equipment. IT systems hold confidential information, so working with a trusted provider that can destroy data without putting it at risk is essential," Schroeder added.
"Any company that doesn't do this will find itself breaching GDPR and other privacy regulations and could face similar fines."
The news comes weeks after Ireland's Data Protection Commission (DPC) issued a fine of €405m ($402.2m) against Instagram after an investigation into its handling of children's data.