Morgan Stanley is accused of “ignoring industry standards” over its 2016 data loss incident.
The company lost customer data during the decommissioning of two data centers in 2016. Having already paid a large fine to the regulator as a result of the incident, the company is also facing a potential class-action lawsuit which it is trying to have dismissed.
Lawyers representing consumers in a class action complaint against Morgan Stanley filed a response to the company’s recent request that the lawsuit be dismissed - providing more details and allegations of negligence.
As reported by Resource Recycling, the plaintiff’s lawyers said the bank had dismissed IBM in favor of an “unknown and unqualified vendor” to decommission its computer equipment as part of “profit-driven decisions” in order to save $100,000 (roughly 0.0017 percent of its 2016 revenue, notes the filing).
“The Morgan Stanley personnel responsible for overseeing the project...ignored industry standards, electing instead to save approximately $100,000 by selecting a non-ITAD (IT asset disposition) vendor for the job, and choosing the “poor man’s wipe” when decommissioning the equipment, which IBM, Morgan Stanley, and others knew would leave unencrypted data intact on the equipment,” reads the filing.
Morgan Stanley is accused of “reckless behavior,” having a “reckless disregard of privacy,” and “failing to ensure and verify that its vendors followed proper sanitization and disposal practice.” The company also reportedly failed to locate an overwhelming majority of the lost devices, one of which was located by the plaintiff’s counsel, who said it had client Personally Identifiable Information (PII) accessible and readable in plain text.
There were also alleged lapses in Morgan Stanley’s internal record-keeping tracking retired assets. The plaintiff lawyers alleged the Morgan Stanley vice president who was fired “admitted to his colleagues that Morgan Stanley had used asset inventory control software to track decommissioned devices … early in the project, but then stopped doing so.”
The bank is yet to file a response, but claims no harm has come to customers as a result of the data loss.
“We have continuously monitored the situation and have not detected any unauthorized access to, or misuse of, personal client information,” a Morgan Stanely spokesperson noted in a written statement to RR. “We continue to vigorously defend against these claims.”
In its August request to dismiss the case, Morgan Stanley laid the blame on a vendor known as Triple Crown, saying the company secretly sold on devices with customer data instead of wiping and recycling them as it was contracted to do.
In its filing, the bank says it discovered certain devices still contained data after leaving the control of an ITAD vendor, and was unable to locate a “small number” of devices. Triple Crown was reportedly contracted to remove, wipe, and recycle the devices. But, instead, it sold the devices to another ITAD firm, AnythingIT and told Morgan Stanley the devices had been destroyed as requested.
AnythingIT then also failed to wipe the devices, and sold them to another ITAD company, known as KruseCom, which either destroyed or sold on the devices. A year later an IT consultant in Oklahoma informed the company he had found some of its data on a storage device he had purchased from KruseCom. The company said it then investigated, took steps to recover devices, and found ‘no evidence’ of data misuse.
The newest filings from the plaintiff say Morgan Stanley simply asked ‘Mr. Oklahoma’ to overwrite the data to destroy any evidence of its disclosure before paying him $40,000 for his efforts, in addition to certain legal fees, and his consent to a non-disclosure agreement.
“Thousands of additional pieces of IT equipment containing unencrypted Morgan Stanley client PII that were sold on the internet remain in the hands of other third party purchasers, who have the skills that enable them to access Plaintiffs’ and Class members’ PII.”
In October 2020 the US Office of the Comptroller of the Currency (OCC) fined Morgan Stanley Bank and Morgan Stanley Private Bank $60 million for failing to properly decommission hardware containing wealth management data from two data centers in 2016.
In the 2019 incident, the bank removed and replaced around 500 Wide Area Application Services from branch offices, and was unable to account for all of the devices during a subsequent inventory. The manufacturer reportedly told the bank a ‘software flaw’ meant some deleted information could remain on the disk unencrypted.
Resource-Recycling suggests Morgan Stanley was considering legal action against its service provider.