Morgan Stanley has named the IT Asset Disposal (ITAD) vendor that led to the bank suffering a data loss incident and a $60 million fine for the first time.
The company lost customer data during the decommissioning of two data centers in 2016. Having already paid a large fine to the regulator as a result of the incident, the company is also facing a potential class-action lawsuit which it is trying to have dismissed.
In its request to dismiss the case, the company lays the blame on a vendor known as Triple Crown, saying the company secretly sold on devices with customer data instead of wiping and recycling them as it was contracted to do.
Data center decommissioning woes
In July 2020 Morgan Stanley sent out a notice to customers, warning of two potential incidents relating to personal information.
The company said that during the decommissioning of two data centers in 2016, a vendor may have not wiped all information – including customer data – from hard drives. It also said in 2019 it may have lost a server from a branch office during a hardware refresh and that some of the deleted information may still be on the disk and unencrypted.
In October 2020 the US Office of the Comptroller of the Currency (OCC) fined Morgan Stanley Bank and Morgan Stanley Private Bank $60 million for failing to properly decommission hardware containing wealth management data from two data centers in 2016.
According to the OCC, the bank “failed to exercise proper oversight” of the decommissioning of the two US-based facilities.
The OCC said the banks failed to effectively assess or address the risks associated with the decommissioning of its hardware, failed to do a proper risk assessment and due diligence around using third-party vendors, monitor vendor performance, or maintain an appropriate inventory of customer data stored on the devices.
The OCC said Morgan Stanley had similar deficiencies in 2019 around the decommissioning of wide-area application services devices. However, the regulator acknowledged Morgan Stanley has since undertaken corrective actions and was “committed” to taking necessary and appropriate steps to remedy the deficiencies.
Morgan Stanley blames Triple Crown
As a result of the breach, the company faced eight lawsuits, which were consolidated into one class-action case, which Morgan Stanley is now asking for the case to be dismissed, saying the case is “devoid of facts."
In its filing, the bank says it discovered certain devices still contained data after leaving the control of an ITAD vendor, and was unable to locate a “small number” of devices.
Despite this, Morgan Stanley says it has not become aware of a single instance of customer information being accessed or misused, saying it has monitored Internet and dark web forums closely. It adds some of the complaints against it include “woefully insufficient” allegations of incidents that couldn't be tied to the bank's loss of data.
In the filing, the bank also names the ITAD vendor it says was at fault for the first time. The bank says Triple Crown was contracted to remove, wipe, and recycle the devices. But, instead, it sold the devices to another ITAD firm, AnythingIT. Triple Crown reported to Morgan Stanley the devices had been destroyed and billed the bank accordingly.
AnythingIT then also failed to wipe the devices, and sold them to another ITAD company, known as KruseCom, which either destroyed or sold on the devices.
The bank says a year later an IT consultant in Oklahoma informed the company he had found some of its data on a storage device he had purchased from KruseCom. The company said it then investigated, took steps to recover devices, and found no evidence of data misuse.
In the 2019 incident, the bank removed and replaced around 500 Wide Area Application Services from branch offices, and was unable to account for all of the devices during a subsequent inventory. The manufacturer reportedly told the bank a ‘software flaw’ meant some deleted information could remain on the disk unencrypted.
Resource-Recycling suggests Morgan Stanley was considering legal action against its service provider.
Separately, Morgan Stanley last month disclosed that the personal data of some of its clients was stolen in January in a data breach through one of its suppliers. Attackers reported accessed information by exploiting a vulnerability in outsourcing firm Guidehouse's Accellion FTA server. Guidehouse provides account maintenance services to Morgan Stanley's StockPlan Connect business, and reportedly told the bank it has found no evidence that the stolen data had been distributed online.