The international financial services giant Morgan Stanley has recently agreed to pay a $60 million fine levied by the U.S. Office of the Comptroller of the Currency (OCC) to resolve a lawsuit stemming from two separate data exposure incidents. The breaches, which occurred in 2016 and 2019, impacted a total of 15 million current and former Morgan Stanley customers whose sensitive data and personally identifiable information were exposed. But what caused the data leaks, what has the response been and how can other organizations prevent these events from happening in the future?
Legacy tech mishandling leads to two separate data breaches
If you keep up with data breach news, you may have first thought of the Morgan Stanley data breach from July 2021. That's when the firm disclosed that hackers stole some of its clients' personal data by exploiting vulnerabilities in the third-party vendor, Guidehouse. However, this was a separate incident that affected far fewer people. Instead, the $60 million settlement comes after a 2020 investigation by the OCC, which found that Morgan Stanley failed to maintain the security of stored customer data and recognize the risks of a potential data breach both internally and from third-party vendors.
The issues began when Morgan Stanley closed two of its data centers in 2016. The firm hired a third-party vendor to decommission the servers and other hardware inside before selling it to recyclers. However, this vendor never wiped the data from the legacy equipment, meaning that client information was still accessible to anyone with the hardware. Morgan Stanley became aware of this issue in 2017 when a recycler brought it to their attention, but a second data breach occurred in 2019 due to the same vendor neglecting to scrub the data. As a result, the OCC launched its investigation and ordered Morgan Stanley to notify any current and former clients who may have been affected by the breaches.
Morgan Stanley's response
The motion from the OCC states that Morgan Stanley began distributing letters of notice in July 2020, offering customers whose data may have been stored on the devices a two-year subscription to Experian to monitor their credit reports. This type of free credit-tracking offer is common after data exposure incidents and is occasionally mandated by regulators. Additionally, Vince Lumia, field management head at Morgan Stanley, released a memo in which he stated, "We have continuously monitored the situation — looking not only for data associated with [its] clients but any information indicating a breach of Morgan Stanley client data — and have not detected any unauthorized activity related to the incident."
Morgan Stanley has also hired a third-party firm in an effort to locate the missing equipment in the next year, already recovering some of it. However, the bank still denies any claims of liability and is considering taking the appropriate legal action against the vendor originally hired to decommission the legacy equipment. With regards to the OCC lawsuit, a spokesperson for Morgan Stanley told Bloomberg, "We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation."
The high cost of mishandling data
After Morgan Stanley notified its customers of the data breach, a separate class-action lawsuit was filed against the firm in 2020, according to Reuters. If approved by the Manhattan federal court judge, the bank will have to pay $60 million to those impacted by the breach, on top of the OCC's original penalties. In total, Morgan Stanley could end up paying over $120 million in fines due to mishandling their legacy equipment. But the global financial giant isn't the only one facing potential damages.
While Lumia stated in his memo that "it would be very difficult for anyone to access or misuse the data" stored on the old hardware, the customers who entrusted their information with Morgan Stanley are still at risk. The improperly discarded servers and equipment contained lists of names, financial information, addresses, birth dates and social security numbers, leaving current and former customers vulnerable to identity theft. Due to this risk, the class-action lawsuit will entitle claimants to at least two years of fraud insurance services and up to $10,000 for out-of-pocket expenses through a settlement fund.
How to protect your organization from data breaches
These massive data breaches and the hefty fines levied against Morgan Stanley serve as a warning to other organizations that if they don't follow basic data security practices, they will ultimately be held accountable. And with data breaches becoming increasingly common, it has never been more important for organizations to audit their internal and external processes. This includes the decommissioning process of legacy equipment.
According to Business Insider, even wiping a hard drive might not be enough to prevent bad actors from accessing it in the future. Instead, companies looking to dispose of old hardware should either encrypt their data before wiping or completely destroy the device for ultimate security. For organizations still using legacy systems or applications, consider using a terminal emulation tool that will enable a fast and secure user experience.
Here at the Inventu Corporation, we equip organizations of all sizes with a revolutionary web terminal emulation tool called Inventu Viewer+, a high-performance emulation solution that is built with C at its core. Inventu Viewer+ supports SAML 2.0 and other identity technologies to enable securing your critical mainframe applications. This allows the deployment of reliable and safe software using clean HTML and JavaScript hosted on secure Windows servers. All in all, the Inventu Viewer+ web terminal emulation meets employer and staff expectations in a way that feels both familiar and simple. Contact us today and see how Inventu can help you integrate your active terminal emulation with the best web identity frameworks available.