Morgan Stanely has agreed to pay $6.5 million settlement on insecurely disposing hardware containing unencrypted personal information.
The Florida Attorney General’s said, the multinational investment bank and financial services company Morgan Stanely exposed the personal information of millions of customers, due to lack of data-security practices.
On investigating the incident, the company disclosed that, it didn’t properly erase unencrypted personal information stored on devices that were being decommissioned.
Particularly, while Morgan Stanley were decommissioning thousands of hard drives containing sensitive consumer information, they hired a company with zero-experience in data-destruction service and failed to monitor its actions.
The AG said, the zero-experience company sold the computer equipment at internet auctions without the knowledge of Morgan Stanely. Lastly, an end-purchaser found the data and contacted Morgan Stanely.
The second time when Morgan Stanley, initiated the decommissioning process they found 42 missing servers potentially containing unencrypted customer information. After thorough investigation they identified the issue was, due to manufacturer flaw in encryption software and also found that Morgan Stanley, failed to implement proper vendor controls and asset inventories, which could have prevented the data exposure.
Morgan Stanley has been ordered to encrypt data both at rest and in transit, implement a data collection, use, retention, and disposal policy, implement tools to track hardware containing personal information, and maintain an information security program, an incident response plan, and a vendor risk assessment team.
To get best, safe and secure practices contact Jypra Group
Source: Security Week