What happened in the Morgan Stanley data breach?

Morgan Stanley failed to properly decommission data center equipment, leaving client data on servers sold to a third party. The resulting breach led to a $60M+ settlement and SEC enforcement action.

How could compliance-verified erasure have prevented the Morgan Stanley breach?

Compliance-verified erasure before equipment disposition would have destroyed all client data with tamper-proof documentation—providing SEC-auditable proof that assets were properly sanitized before leaving Morgan Stanley's control.

Data Breach Case Study

Morgan Stanley Pays $60 Million to Settle Data Breach Suit

American banking giant faced class-action lawsuit over data breach from improper wiping of decommissioned data center equipment — a cautionary tale for every organization.

The Breach at a Glance

$60M

Settlement Amount

15M

Customers Affected

2016

First Incident

2019

Second Incident

What Happened?

The breach compromised personal data of approximately 15 million customers. In July 2020, the bank faced a class-action lawsuit from customers whose data was allegedly compromised due to improper wiping of decommissioned data center equipment.

Compromised Data Included

Customer names and account numbers, Social Security numbers, passport details, contact information, and date of birth — all personally identifiable information (PII).

Two Major Incidents

2016 Data Center Incident

Two data centers were not properly decommissioned due to:

• Malpractice in vendor selection
• Failure to properly monitor third-party vendor
• Vendor failed to wipe complete data from servers
• Equipment sold to downstream recycler with data intact
• Bank wasn't informed until 2019

2019 Missing Server Incident

A decommissioned server at local branches went missing:

• Server disappeared from inventory
• Data on hard disk was unencrypted
• Open to access by unauthorized parties
• No documented evidence of data wiping

OCC Findings

The Office of Comptroller of Currency (OCC) in 2020 found critical failures in Morgan Stanley's decommissioning process:

Failed Risk Assessment

Failed to effectively assess or address risks associated with decommissioning hardware.

Vendor Selection Failure

Failed to adequately assess subcontracting risks, including due diligence in selecting a vendor.

No Vendor Monitoring

Failed to monitor vendor performance throughout the decommissioning process.

No Inventory Tracking

Failed to maintain appropriate inventory of customer data stored on decommissioned devices.

What Could Have Prevented This Breach?

Adopting professional data erasure software would have resolved the matter in multiple ways:

DIY Tool for Onsite Erasure

Modern certified data erasure software like D-Secure provides DIY utility for onsite erasure of legacy storage media. The IT asset management team could wipe hard drives at their own premises before equipment leaves the facility — preventing any breach of chain of custody.

Tamper-Free Audit Trails

Certified data erasure software generates digital records for every wiped hard drive that act as secure and reliable tamper-free audit trails. Systematic records serve as documented evidence of data wiping for every decommissioned device.

GLBA Compliance Adherence

Data erasure technology helps businesses adhere to banking regulations such as GLBA by complying with the Information Systems provision in the Safeguards Rule. Permanent erasure prevents unwanted exposure of non-public personal information (NPI) beyond any scope of recovery.

Settlement Details

If the $60 million settlement is approved by Manhattan federal court, it will be awarded to all those potentially impacted by the breach:

Up to $10,000

Out-of-pocket expenses

Per class member claim

24 Months

Fraud insurance services

Identity protection coverage

$100

Lost time compensation

Additional benefit

Key Takeaways

Growing data breach incidents underscore that every organization must have reinforced and robust data protection policies. The only way to get rid of sensitive data is to permanently wipe it beyond recovery.

Due diligence in vendor selection is critical for data protection
Always maintain documented evidence of data wiping
Use onsite erasure to prevent chain of custody breaches
Tamper-free audit trails are essential for compliance
Professional erasure software could have prevented both incidents

Prevent Data Breaches with D-Secure

D-Secure provides professional data erasure solutions with tamper-proof audit trails — ensuring complete protection against data breaches like the Morgan Stanley incident.

Request Free Demo View Products

Frequently Asked Questions

Comments (0)

Your email address will not be published. Providing an email is optional.

No comments yet. Be the first to comment.

Have Questions About This Topic?

Send us an enquiry regarding: Morgan Stanley Data Breach