Morgan Stanley, based on James, “employed a shifting firm with no expertise in information destruction providers to decommission hundreds of exhausting drives and servers containing delicate info of hundreds of thousands of its prospects.”
Morgan Stanley then “didn’t correctly monitor the shifting firm’s work, and its pc tools, a few of which nonetheless contained personal shopper info, was then offered at public sale.”
Morgan Stanley was solely made conscious of the issue when a purchaser found the information and referred to as the corporate, based on James’ workplace.
In a second incident, Morgan Stanley found throughout a decommissioning course of that 42 servers, all probably containing unencrypted buyer info, have been lacking.
“Throughout this course of, the corporate realized that the native gadgets being decommissioned could have contained unencrypted information as a result of a producer flaw within the encryption software program,” the order states.
The multistate investigation discovered that Morgan Stanley “failed to keep up satisfactory vendor controls and {hardware} inventories, and that had these controls been in place, each information safety occasions might have been prevented,” James stated.
Morgan Stanley stated in a press release that the agency has “beforehand notified all probably impacted shoppers concerning these issues, which occurred a number of years in the past, and are happy to have resolved this associated investigation.”
