data security privacy Security

SEC fines Morgan Stanley Smith Barney $35 million over failure to secure customer data

The monetary large employed a shifting firm with no expertise in data destruction to get rid of onerous drives with the non-public data of round 15 million prospects, stated the SEC.

Morgan Stanely building and logo. Morgan Stanley is an American multinational financial services corporation.
Image: Adobe Stock

Morgan Stanley Smith Barney (MSSB) has earned itself an enormous high-quality from the U.S. authorities after failing to defend the personally identifiable data (PII) of hundreds of thousands of consumers. In a discover posted Monday, the SEC introduced that the corporate consented to the company’s discovering that it violated federal rules relating to the safeguarding and disposal of customer data. In response, MSSB has agreed to pay a penalty of $35 million.

Why was Morgan Stanley Smith Barney fined?

The discovering stems from actions relationship again so far as 2015 through which MSSB uncared for to accurately get rid of {hardware} containing the PII of its prospects. Tasked with decommissioning hundreds of onerous drives and servers with customer data on a number of events, the corporate employed a shifting and storage agency with no expertise in data destruction and failed to monitor the agency’s work, in accordance to the SEC.

The company’s investigation discovered that the shifting agency bought hundreds of the servers and onerous drives, some with customer PII, to a 3rd social gathering. Those gadgets in the end have been resold on an web public sale website, nonetheless with the customer data on them. MSSB recovered a number of the gadgets, however most are nonetheless lacking, together with 42 servers. The recovered gadgets have been discovered with unencrypted customer data. Even although the corporate had geared up them with an encryption possibility, it uncared for to activate that function.

“MSSB’s failures in this case are astonishing,” stated Gurbir Grewal, director of the SEC’s Enforcement Division. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”

SEE: Mobile machine safety coverage (TechRepublic Premium)

What was MMSB’s response?

On its finish, MSSB complied with the SEC’s order and agreed to pay the high-quality with out admitting or denying the precise findings. In a press release despatched to TechRepublic, an MSSB spokesperson stated: “We are pleased to be resolving this matter. We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information.”

But MSSB clearly made a number of errors on this chain of occasions. The firm failed to correctly vet the shifting and storage agency. It failed to monitor the work of that agency. And it failed to implement the right encryption despite the fact that the choice was obtainable.

“The case of MSSB is unique since they gave hard drives and servers to a third party while storing PII in plaintext,” stated Gil Dabah, co-founder and CEO of safety agency Piiano. “Usually, attackers must gain credentials using social hacking or utilizing known vulnerabilities. A few lines of defense are needed (like access control, tokenization, masking, etc.) to prevent unauthorized access to PII. Here, simple encryption would have solved the problem.”

The high-quality mixed with MSSB’s failures to defend private data ought to function a wake-up name to different organizations that gather and retailer delicate customer data.

“The size of the fine speaks to the visibility that data security should have within an organization,” stated Mike Puterbaugh, CMO at safety agency Pathlock. “Suffice to say this should be seen as a board-level accountability topic. This news should create a call to action to review data security capabilities (tools, processes, etc.) and ensure that internal audits encompass the testing and proving of data security controls.”

SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)

Advice for organizations

How can organizations be sure they’re correctly securing customer data and keep away from regulatory or authorized issues?

“Organizations should start with the most attractive target for data thef—the business applications that every company relies upon,” Puterbaugh stated, citing ERP, HR, and provide chain apps as particular examples.

Proper data safety requires that organizations have the mandatory instruments for testing their controls, in accordance to Puterbaugh. This consists of role-based entry controls that decide who can carry out what duties and policy-based entry controls designed to dynamically defend data.

“What’s important for company boards and leadership to understand is that data security requires the business (the lines of business that rely on the business applications that store sensitive data) and IT (responsible for protecting and securing broader systems) to work together to create effective policies for securing sensitive data,” Puterbaugh added.

If your group wants a coverage for correctly disposing delicate digital data, TechRepublic Premium has one to get you began. Click right here to obtain it now and subscribe to acquire entry to extra helpful sources.


Leave a Reply

Your email address will not be published.Required fields are marked *