Financial services giant Morgan Stanley terminated a contract with its long-standing IT asset disposition vendor to save money prior to a botched data center decommissioning job in 2016, lawyers alleged in court this month.
Lawyers representing consumers in a class action complaint against Morgan Stanley on Sept. 15 filed a response to the company’s recent request that the lawsuit be dismissed. In the response, the lawyers offered more details about the circumstances of Morgan Stanley’s multiple ITAD incidents that resulted in data mismanagement.
The data breach case came to light in July 2020 when Morgan Stanley alerted consumers that their personal data had the potential to be compromised. The data security concerns stem from ITAD jobs Morgan Stanley hired out in 2016 and 2019.
A handful of class action lawsuits quickly followed, as did a $60 million fine from the federal government.
Last month, Morgan Stanley responded to the complaint in court, asking the judge to dismiss the case and naming the asset disposition vendor that failed to properly wipe devices during the job.
The latest response offers additional context, as well as numerous allegations of negligence on Morgan Stanley’s part.
Attorneys for Morgan Stanley have not yet responded in court but are scheduled to before Sept. 29, according to a court timeline. A Morgan Stanley spokesperson told E-Scrap News the company continues to dispute the allegations by plaintiffs.
“We have continuously monitored the situation and have not detected any unauthorized access to, or misuse of, personal client information,” the spokesperson noted in a written statement. “We continue to vigorously defend against these claims.”
Data center job handled by ‘non-ITAD vendor’
According to the plaintiffs in the class action case, the 2016 data center incident was a direct result of Morgan Stanley changing vendors to save money.
“The 2016 incident was precipitated by Morgan Stanley’s profit-driven decisions to … terminate a contract with its long-standing vendor IBM for the decommissioning, wiping and destruction of computer equipment; hire a local moving company with no [ITAD] experience to do the job; and fail to supervise the project,” the lawyers wrote in this month’s filing.
The financial services company “ignored industry standards, electing instead to save approximately $100,000 by selecting a non-ITAD vendor for the job, and choosing the ‘poor man’s wipe’ when decommissioning the equipment, which IBM, Morgan Stanley, and others knew would leave unencrypted data intact on the equipment,” they added.
They went on to note Morgan Stanley “pressed to make decommissioning assets a ‘profit center,’ attempting to cut costs at every corner.” The claim also indicates a Morgan Stanley vice president involved in overseeing the project was terminated due to the incident.
Morgan Stanley in August identified its vendor as Triple Crown but did not offer any other details about the firm. E-Scrap News at the time contacted a New York City moving company by that name and the company declined to comment. The latest filing confirms the vendor was a moving company, and it adds that the company was hired to decommission more than 4,900 devices.
Triple Crown worked with AnythingIT (which the plaintiff attorneys interchangeably refer to as “WeedHire,” a company that was at the time operated by AnythingIT). The attorneys noted AnythingIT was “the company that was ostensibly to sanitize the equipment.”
AnythingIT in August told E-Scrap News it was not hired to perform any data destruction services, noting it simply purchased and resold retired devices from Triple Crown.
Record-keeping issues and data breach management
Morgan Stanley previously acknowledged in court that the 2016 case came to light after an individual bought used equipment on an e-commerce platform and found Morgan Stanley data retained on the equipment.
The plaintiffs now allege that the financial firm did not immediately ask the buyer to stop using the equipment or arrange to inspect or retrieve it. Instead, they say, Morgan Stanley “simply asked him to overwrite the data to destroy any evidence of its disclosure.”
Plaintiff lawyers claimed in the recent filing Morgan Stanley paid the buyer $40,000 and had him sign a non-disclosure agreement. And they noted this individual situation is just one of many potential instances of equipment from the 2016 data center decommissioning leaving private data vulnerable.
“Thousands of additional pieces of IT equipment containing unencrypted Morgan Stanley client [personally identifiable information] that were sold on the internet remain in the hands of other third party purchasers, who have the skills that enable them to access” the data, the plaintiffs stated.
There were also alleged lapses in Morgan Stanley’s internal record-keeping tracking retired assets.
The plaintiff lawyers alleged the Morgan Stanley vice president who was fired “admitted to his colleagues that Morgan Stanley had used asset inventory control software to track decommissioned devices … early in the project, but then stopped doing so.”
“As a result, Morgan Stanley had no internal records to verify the disposition of its decommissioned IT assets,” the lawyers wrote.
The filing says records were similarly missing after the 2019 data incident, which occurred after Morgan Stanley retired “Wide Area Application Services” devices from local branch offices as part of a hardware refresh program.
Some of these servers were not properly sanitized before being transferred to a third party, which is not named in the filing.
“Morgan Stanley again failed to follow proper chain of custody procedures, and thus did not discover until February 2020 that it was unable to account for numerous devices,” according to the filing.
