Morgan Stanley Smith Barney (MSSB) Under Fire
Morgan Stanley, a global leader in investment banking, scrambles to navigate some of the biggest ITAD missteps ever made in history. In 2016, MSSB repeatedly hired a moving company, Triple Crown, with no data destruction experience to decommission two United States data centers. These items were then sold on an internet auction site, without the removal of sensitive data. Fast forward to 2019, Morgan Stanley merely ‘lost track of’ many devices containing customer data.
Morgan Stanley presents services for clients of all walks of life. Some of the offerings include brokerage and investment advisement, market making activities in fixed income securities, financial and wealth planning, annuity and insurance products, credit and other lending products, general banking, and retirement planning services. Morgan Stanley’s wide reach failed to protect personal identifying information for 15 million people, tanking customer ratings and general approval in the media. These incidents have become examples surrounding the dangers of improper disposition of electronics.
Where the Problems Began
In 2014 Morgan Stanley (MSSB) contracted Triple Crown to decommission two data centers. Before the project even began, MSSB knew that Triple Crown was strictly a moving company and had zero expertise in electronic data destruction. This vendor was expected to pick up, transfer, and wipe certain devices. The contract also mentioned partnership with an unidentified e-waste management company. The understanding was that after all data was deleted, the devices would be resold. Morgan Stanley was to receive 60-70% of the resale value along with detailed IT asset disposition reports and certificates of destruction.
Additional Details Unfold
Early in the project, court documents note that Triple Crown stopped working with the unidentified e-waste company and began working with a New Jersey based company, AnythingIT. This was done without MSSB’s knowledge or consent. According to The U.S. Securities and Exchange Commission (SEC), AnythingIT began purchasing ‘previously wiped’ drives sold by Triple Crown. Provided with certificates of indemnification (COI’s), that “simply represented that AnythingIT assumed possession of the devices and risk of loss.” AnythingIT then sold the devices in a cyber auction, once again without MSSB’s authorization.
Triple Crown sent Certificates of Indemnification containing AnythingIT’s logo and letterhead to Morgan Stanley via email. According to the SEC’s recollection of the sent emails, Triple Crown referred to them as certificates of destruction, but MSSB never viewed the documents. According to the SEC, “If MSSB had reviewed the COIs, it would have been clear that Moving Company (Triple Crown) was using a sub-vendor that had not been vetted by MSSB and that the hard drives were not being wiped of data,” a major oversight by Morgan Stanley.
Triple Crown also removed approximately 8,000 backup tapes from one of the data centers. According to the settlement, “No one at MSSB monitored the database or had any direct contact with the unnamed e-scrap company during the decommissioning process to ensure that the devices were properly handled.” An error which would radiate even further as the truth continued to surface. “MSSB’s basis for believing that these tapes were in fact destroyed without any unauthorized access to customer PII (personal identifying information) and consumer report information hinges on this email” SEC stated. Shortly thereafter, Morgan Stanley launched an investigation into the disposition of the data center devices.
Morgan Stanley Attempts to Reclaim Lost Goods
According to the SEC, on October 25, 2017, an IT specialist in Oklahoma emailed Morgan Stanley to notify the bank that he purchased MSSB’s hard drives in an online auction. Further notifying the firm that he had access to MSSB’s data. MSSB eventually repurchased the drives from the IT specialist.
In January of 2018, MSSB emailed AnythingIT inquiring the whereabouts of the 8,000 backup tapes. AnythingIT responded that the company managed them as “confidential material” in June of 2016 and sent them to a recycling center. AnythingIT remarked that the lot number provided by MSSB didn’t match the one AnythingIT had on record.
Financial Fall-Out Over Preventable Mistakes
ITAD mishaps are not new to Morgan Stanley Smith Barney, costing the firm over $163 million dollars in total. Years of poorly managed IT asset disposition have resulted in these hefty fines. In September, The U.S. Securities and Exchange Commission doled out a $35 million fine, only two years after the Treasury Department fined the company $60 million for previous mistakes.
In a September press release, Gurbir S. Grewal, director of the SEC’s Enforcement Division stated, “MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.” The SEC order said the project affected 4,900 devices, many of which did not contain sensitive data. However, some of the used IT equipment was found containing mass amounts of unencrypted personal and consumer report information. It was discovered that the data-bearing material contained approximately 1,000 hard drives.
In August 2022, MSSB finalized a legal agreement requiring it to pay $68.2 million to protect customers whose personal information had been lost. Stating, “the firm has not recovered the vast majority of the devices,” according to the settlement. Of the devices that have been recovered, the SEC stated that the devices, “contained thousands of pieces of unencrypted customer data.” In a financial report, MSSB disclosed that state attorneys are still looking into the matter. Without admitting or denying its findings, MSSB consented to the SEC’s order finding that the firm violated rules under Regulation S-P and agreed to pay the price.
ITAD Solutions to Prevent Further Breaches
Proper IT asset disposition solutions are a key component of lifecycle management. In this instance, a colossal lapse on Morgan Stanley’s part. The firm could have eliminated the issues that MSSB continues to face, by immediately utilizing certified ITAD services.
ITAD providers are trained to manage retired IT equipment through extensive knowledge in recycling, repurposing, repairing or disposing of unwanted devices in a safe and environmentally responsible way. Grewal, Director of the SEC’s Enforcement Division reiterated this by stating, “today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data,” corporations can learn from the banking giant, MSSB’s, costly blunders.
