Morgan Stanley has identified the data center decommissioning provider it claims was responsible for a data-breach incident, which led to lawsuits and a $60 million penalty against the financial giant.
The bank was named as a defendant in several class-action lawsuits last year, after customer information was mismanaged during 2016 and 2019 computer decommissioning projects. In the 2016 data center decommissioning incident, the bank placed blame on the service provider.
In court papers filed this month, Morgan Stanley revealed that the 2016 data center decommissioning project was outsourced to a company called Triple Crown, which in turn sold the devices to ITAD firm AnythingIT. Retired devices were ultimately sold to a used device marketplace, where they were resold to consumers.
The data mismanagement only came to light when a buyer discovered Morgan Stanley data on storage drives he had purchased, and he emailed the company to communicate that fact.
Morgan Stanley in July 2020 told clients it had discovered “potential data security incidents” stemming from that data center decommissioning in 2016 and a separate incident in 2019. The company was quickly hit with two class-action lawsuits, which expanded to seven.
In October 2020, Morgan Stanley was slapped with a $60 million data mismanagement fine from the U.S. Treasury Department, which chastised the company for its “failure to exercise proper oversight of the 2016 decommissioning of two Wealth Management business data centers located in the U.S.” The Treasury Department said Morgan Stanley failed to employ “adequate due diligence in selecting a vendor and monitoring its performance,” among other mishaps.
Response offers details about 2016 incident
Morgan Stanley on Aug. 9 responded to the lawsuits, which have been consolidated into one case in the United States District Court for the Southern District of New York. In its response, the company lays out the sequence of events that led to the data security scare.
“In 2016, Morgan Stanley decommissioned two data centers and contracted with a vendor – Triple Crown – to remove the devices from those centers, wipe any data that the devices may have contained, and recycle the non-data materials,” attorneys wrote.
“Morgan Stanley later learned that Triple Crown unilaterally breached its contract by selling the devices to another company, AnythingIT, despite a requirement that Triple Crown only subcontract [its] obligations with Morgan Stanley’s express written consent – which it did not obtain,” lawyers for Morgan Stanley wrote.
The filing says AnythingIT, a New Jersey-based electronics recycling and ITAD firm, provided Triple Crown with “certificates of indemnification, which Triple Crown then falsely described as certificates of destruction in transmitting them to Morgan Stanley.”
“In reality, and unbeknownst to Morgan Stanley, AnythingIT failed to wipe the devices, and sold them to a third party, KruseCom, which in turn either destroyed the devices or sold them online,” the filing states. “Nevertheless, Triple Crown fraudulently billed Morgan Stanley for destruction services.”
Contacted by E-Scrap News, AnythingIT sent a statement explaining its role in the decommissioning case.
“AnythingIT was never contracted or required to perform data wiping or destruction on any equipment involved with this case,” the company wrote. “We were simply a 3rd-party purchaser of liquidated equipment from Triplecrown. AnythingIT has fully cooperated with investigators and was not contracted for any ITAD services.”
The court filing does not include any more identifying details about Triple Crown, and spokespeople for Morgan Stanley and AnythingIT declined to confirm details about the company. E-Scrap News contacted a company of that name by email and phone but did not receive a response and could not confirm whether it was the involved party by press time.
A person with knowledge of the situation in 2020 told E-Scrap News Morgan Stanley was considering legal action against its service provider, although the financial institution has not publicly announced such plans and Triple Crown is not named as a defendant in this case.
Data loss comes to light, another incident arises
More than a year after the decommissioning, in October 2017, an IT consultant in Oklahoma found Morgan Stanley data on storage drives he had purchased through KruseCom, according to the court filing. The consultant emailed Morgan Stanley’s IT department explaining what he had found, and the company “immediately took steps to investigate and recover the devices, and found no evidence that any customers’ personal information was accessed or misused.”
The legal filing offers fewer details about the 2019 case, but it provides a general outline. That year, the company removed 500 “Wide Area Application Services” devices from local branch offices as part of a hardware refresh program, the filing states. The summary does not reference third-party vendors in that case.
“In a subsequent inventory, the company determined that it was unable to locate a small number of those devices; the manufacturer later informed Morgan Stanley of a software flaw that could have resulted in small amounts of previously deleted information remaining on the disks in unencrypted form,” according to the response.
Lawyers seek to toss case
Morgan Stanley’s response in court repeats multiple times that despite the potential for data theft, Morgan Stanley has not learned of a single instance of personally identifiable information being accessed or misused in connection with this case.
Attorneys for Morgan Stanley are asking the court to dismiss the case entirely. In the 37-page legal response, they downplay the plaintiffs’ concerns over a potential data breach from the asset recovery processes.
Morgan Stanley’s attorneys say the plaintiffs received nearly 30,000 documents from the financial firm during the discovery phase of the case. The plaintiffs have “combed those materials to lard their amended pleading with innuendo, suggestions of impropriety and blatant mischaracterizations,” the filing states.
Attorneys for the plaintiffs and Morgan Stanley held a mediation session in May and have two additional sessions scheduled for this month, according to court records. The fact discovery process will continue through Dec. 16, 2021, and expert discovery is due by Feb. 1, 2022.
More stories about data security
- What do consumers think about data destruction?
- Tracking service looks upstream of ITAD providers
- Survey probes COVID-19 e-scrap impact on enterprises