Morgan Stanley’s Data Breach That Won’t Die

Morgan Stanley Data Breach that Won't Die

The Data Breach That Won’t Die

Morgan Stanley, the global investment bank, has once again found itself in the spotlight for its mishandling of IT asset disposition (ITAD). In November 2023, the bank agreed to pay $6.5 million to settle an ITAD breach with five states, bringing the total cost of its ITAD-related penalties to a staggering $161.5 million. This latest settlement underscores the persistent nature of Morgan Stanley’s ITAD failures and raises concerns about the bank’s overall risk management practices.

A Trail of ITAD Mishaps

The Morgan Stanley ITAD saga began in 2020 when the bank disclosed two separate incidents involving the improper disposal of retired IT equipment. In one incident, a records reconciliation exercise revealed that 42 decommissioned servers were missing. In the other incident, a downstream purchaser of decommissioned equipment discovered data still present on the devices.

These incidents prompted a series of regulatory actions against Morgan Stanley. In October 2020, the Office of the Comptroller of the Currency (OCC) imposed a $60 million penalty on the bank for engaging in “unsafe or unsound practices that were part of a pattern of misconduct.” In January 2022, Morgan Stanley agreed to a $60 million settlement to resolve a class-action lawsuit. And in September 2022, the Securities and Exchange Commission (SEC) fined the bank an additional $35 million for the same incidents, describing them as “astonishing.”

Despite these penalties, Morgan Stanley’s ITAD woes continued. In November 2023, the bank was hit with a $6.5 million settlement from five states (Connecticut, New York, Florida, Indiana, New Jersey, and Vermont) for failing to properly dispose of IT equipment and protect sensitive customer data.

Unanswered Questions and Lingering Concerns

The repeated ITAD failures at Morgan Stanley raise several critical questions. Was the disappearance of 42 servers an isolated incident, or were there other instances of missing equipment that went unnoticed or unreported? What steps has Morgan Stanley taken to prevent future ITAD breaches?
The Morgan Stanley ITAD saga is a stark reminder of the importance of effective ITAD practices. Improper disposal of IT equipment can put sensitive data at risk, leading to financial penalties, reputational damage, and potential legal liabilities. Organizations must take proactive measures to ensure that their ITAD processes comply with regulations and adequately protect sensitive information.

Here are steps that can be taken to reduce risk and ensure compliance during IT asset disposition:

  • Maintain Separation of Duties: Don’t allow the fox to guard the henhouse.
  • Track IT Assets from the Moment They’re Acquired: Tracking IT assets from acquisition to disposition is crucial in ITAM.
  • Treat Inventory Discrepancies with Due Regard: Procedures must be in place before assets go missing.
  • Recognize That Encryption is Not a Silver Bullet: While encryption can prevent an incident from becoming a breach, it cannot prevent an incident from occurring and does not eliminate the requirement to detect and investigate incidents. Coke had a policy of encryption.
  • Destroy Data Before Devices are Moved: 99% of problems happen before an ITAD vendor touches the equipment. No vendor can protect an asset it doesn’t receive.
  • Use Disposal Tags: Tracking by serial number is not perfect. Disposal tags deter theft and prove chain of custody.
  • Have Equipment Held: Never allow an ITAD vendor to resell or destroy equipment without first establishing the chain of custody.
  • Not Sharing Inventory Reports with Vendors: ITAD vendors should not reconcile inventory since they have a conflict of interest. They should instead report what they get, and the data controller should reconcile.
  • Automate and Outsource Inventory Reconciliation: Reconciling spreadsheets takes time and effort. Additionally, the outcomes of a manual reconciliation may be arbitrary and difficult for another party to confirm without starting over.

By following these steps, organizations can help to prevent ITAD data breaches.

Other things can help mitigate the risks, but they should only be used to support good disposition practices cited above. For more information, contact me at (888) 839-6555 or email