Morgan Stanley Agrees to Pay a $6.5 Million Settlement Over a Data Breach

Morgan Stanley (NYSE:MS) has agreed to a $6.5 million settlement with a group of state attorneys general, led by New York’s Letitia James, due to the investment firm’s negligence in properly decommissioning computers that contained unencrypted customer data. The oversight led to private consumer information being auctioned off and potentially exposed millions of customers, including approximately 1.1 million in New York.

The issue was uncovered when a purchaser of auctioned equipment found the sensitive data. An investigation revealed that Morgan Stanley hired an inexperienced moving company for the decommissioning of hard drives and servers, which resulted in the equipment being sold without erasing the private information. Additionally, during another decommissioning process, the firm discovered that 42 servers possibly containing unencrypted customer data were missing, attributed to a software encryption flaw.

As part of the settlement announced today, Morgan Stanley will implement several measures to strengthen its data security:

• Establish a comprehensive information security program.
• Create an incident response plan.
• Draft a written policy for managing personal information.
• Encrypt all personal data.
• Track hardware locations storing personal information.
• Assess vendor compliance with Morgan Stanley’s data security standards through a vendor risk assessment team.

Read the source article at Investing.com