Security News > 2022 > September > Morgan Stanley fined millions for selling off devices full of customer PII

Morgan Stanley fined millions for selling off devices full of customer PII
2022-09-23 18:07

For selling off old hardware devices online, including thousands of disk drives, that were still loaded with personally identifiable information belonging to its clients.

Strictly speaking, it's not a criminal conviction, so the penalty isn't technically a fine, but it's "Not a fine" in much the same sort of way that car owners in England no longer get parking fines, but officially pay penalty charge notices instead. Also, strictly speaking, Morgan Stanley didn't directly sell off the offending devices itself.

Someone in Oklahoma bought a few of the old drives, presumably as hot spares for their own IT operation, and realised that they were still full of Morgan Stanley client data.

Morgan Stanley apparently didn't activate the decryption option until at least one year after the devices went into use.

So all that Morgan Stanley can "Prove", for the 42 devices that are still out there somewhere, is that each device almost certainly contains at least some client PII that definitely isn't encrypted.

Unlike garden waste in the compost bin or old bicycles dumped in the canal, misplaced data storage devices can show up in perfect working order, with all their original data intact, for years after you might have assumed they were lost without trace, or degraded beyond repair.


News URL

https://nakedsecurity.sophos.com/2022/09/23/morgan-stanley-fined-millions-for-selling-off-devices-full-of-customer-pii/