This story has been updated.
Morgan Stanley’s years of IT asset disposition errors have cost the banking giant over $163 million, according to an updated E-Scrap News tally. New details on the data loss incidents have also recently come to light.
The U.S. Securities and Exchange Commission (SEC) in September slapped Morgan Stanley Smith Barney (MSSB) with a $35 million fine. That was nearly two years after the Treasury Department fined the company $60 million.
And in August 2022, MSSB finalized a legal settlement obligating it to pay $68.2 million to protect customers whose personal information it can’t account for, as well as hire an outside firm to try to track down lost devices. The trouble may not be over: State attorneys general are also looking into the matter, MSSB disclosed in a financial report.
The legal issues all stem from IT asset decommissioning and refresh projects MSSB undertook between 2016 and 2019. MSSB hired a moving company with no data destruction experience to decommission two U.S. data centers in 2016; devices holding unencrypted customer data were eventually sold online. In 2019, MSSB simply lost track of dozens of devices containing customer data during an IT refresh project.
The incidents have become the poster children for how not to dispose of IT assets, with some ITAD and electronics recycling companies citing the cases in their marketing efforts.
“MSSB’s failures in this case are astonishing,” Gurbir S. Grewal, director of the SEC’s Enforcement Division, stated in a Sept. 20 press release. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.”
“Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data,” he added.
The SEC order includes previously unpublished descriptions of just what went wrong in the company’s ITAD jobs.
‘No one at MSSB monitored the database’
Neither admitting nor denying the SEC’s findings, MSSB accepted the $35 million penalty, which it must pay within 30 days and which will be deposited in the general fund of the U.S. treasury.
According to the SEC order, MSSB hired a moving company – identified in other court documents as New York company Triple Crown – to handle a 2016 project to decommission two data centers, one in Poughkeepsie, N.Y. and one in Columbus, Ohio. The data centers served the publicly traded company’s wealth management business.
Customers who later sued MSSB alleged the company had previously contracted with IBM to handle its ITAD work but canceled that contract in an attempt to save about $100,000.
MSSB first signed the contract with Triple Crown for the data center project in 2014. That contract designated Triple Crown as a vendor to pick up, transport and decommission certain devices. Triple Crown had no experience or expertise in electronic data destruction, the SEC noted, and MSSB knew that Triple Crown was strictly a moving company.
However, that same contract also identified an unnamed e-scrap management company, and the document stated that company would wipe or degauss the devices and resell them, with 60% to 70% of the resale amount going back to MSSB. The document also called for MSSB to receive asset and disposition reports, along with certificates of destruction.
The SEC order said the project involved 4,900 devices, many of which were non-data-bearing devices but some of which held thousands of pieces of unencrypted personal information and consumer report information for MSSB’s customers. The data-bearing material included 53 redundant arrays of independent disk (RAID) arrays that collectively contained approximately 1,000 hard drives. The moving company also removed approximately 8,000 backup tapes from one of the data centers.
For a brief time, Triple Crown delivered the data center devices to the unidentified e-scrap company, which tracked them in a database through the collection, wiping and resale processes. MSSB received certificates of destruction, and it had been provided direct access to the inventorying database to monitor the process, the SEC states.
The unnamed e-scrap company retained 30% to 40% of the device resale proceeds, per the contract, and it remitted the remainder to Triple Crown. The SEC claims MSSB never asked Triple Crown for its 60-70% cut of the drive sales, so it didn’t receive any of the money.
“No one at MSSB monitored the database or had any direct contact with IT Corp A (the unnamed e-scrap company) during the decommissioning process to ensure that the devices were properly handled,” according to the SEC.
Early in the project, Triple Crown stopped working with that unidentified e-scrap company and began working with another company without MSSB’s knowledge or approval. (SEC noted that MSSB could have learned about the change had it logged into the tracking database.) That other company was identified in separate court documents as New Jersey-based AnythingIT.
Triple Crown began selling drives to AnythingIT, which, according to the SEC, “understood that the devices had already been wiped.” The SEC’s description does not conflict with what AnythingIT previously told E-Scrap News in a statement.
According to the SEC, AnythingIT provided Triple Crown with certificates of indemnification, which “simply represented that IT Corp B (AnythingIT) assumed possession of the devices and risk of loss.” AnythingIT then sold the devices.
Triple Crown emailed those certificates of indemnification (COIs), which contained AnythingIT’s logo and letterhead, to MSSB. In the emails, Triple Crown referred to them as certificates of destruction, according to the SEC, but never looked at the documents.
“If MSSB had reviewed the COIs, it would have been clear that Moving Company (Triple Crown) was using a sub-vendor that had not been vetted by MSSB and that the hard drives were not being wiped of data,” according to the SEC.
Morgan Stanley recovers several drives
According to court records filed by MSSB in the class-action lawsuit case, AnythingIT resold the data-bearing devices to a third party, Palm Beach, Fla.-based IT asset management company KruseCom, which either destroyed or sold them online through an auction site.
On Oct. 25, 2017, an IT consultant in Oklahoma emailed MSSB to tell the bank he had purchased hard drives online and had access to MSSB’s data on those drives, according to the SEC.
“[Y]ou are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware,” the individual wrote in his email, according to the SEC order. “Or at the very least getting some kind of verification of data destruction from the vendors you sell equipment to.”
MSSB eventually repurchased the drives from the consultant. Shortly thereafter, MSSB launched an investigation into the disposition of the data center devices. In the course of that investigation, the company learned that Triple Crown had also delivered 8,000 of MSSB’s backup tapes to AnythingIT.
On Jan. 19, 2018, MSSB emailed AnythingIT asking what happened to the tapes. AnythingIT responded that the company processed them as “confidential material” in June of 2016 and sent them to a waste-to-energy plant, although AnythingIT noted that the lot number provided by MSSB didn’t match the one AnythingIT had on file.
“MSSB’s basis for believing that these tapes were in fact destroyed without any unauthorized access to customer PII (personal identifying information) and consumer report information hinges on this email,” SEC wrote.
Finally, in July 2020, MSSB disclosed the data loss to about 15 million impacted customers, emphasizing that there was no evidence that customer information had been misused by criminals.
Afterward, MSSB managed to get some more of the missing drives back. In June 2021 MSSB obtained another 14 of the missing drives from an unnamed downstream purchaser, according to the SEC.
“Based on forensic analysis of these hard drives, 13 of the devices contained a total of at least 140,000 pieces of customer PII (personal identifying information),” the SEC’s order states. “The vast majority of the hard drives from the 2016 Data Center Decommissioning remain missing.”
The SEC’s order indicates that witnesses at Triple Crown and AnythingIT cooperated in providing information to commission investigators.
$68 million settlement approved
The SEC described issues with other MSSB ITAD projects in 2015, 2016 and 2017, although they don’t appear as serious as the data center project described above.
In one instance in 2016, Triple Crown decommissioned an MSSB data center in New York City, but MSSB lacked records on exactly what devices were removed or what data they contained, and it doesn’t have certificates of destruction for any of them, according to the SEC.
The troubles also extended to a project involving a different vendor, Arrow Electronics.
In 2019, MSSB removed 500 data-bearing devices from branch offices as part of an IT refresh project. The company hired Arrow to oversee that decommissioning project, a class-action complaint revealed. At the time, Arrow Electronics ran a large ITAD division – the result of several years of acquisitions of other ITAD companies – before shutting down the division later in 2019. During the wind-down period of MSSB’s dealings with Arrow, MSSB did a cross-check and reconciliation of its records of devices provided to Arrow and discovered some were missing, the court records indicate.
According to the SEC, a February 2020 inventory check by MSSB found that four wide-area application services (WAAS) devices had gone missing as part of the refresh, the SEC stated. In 2021, MSSB undertook an inventory of all historical branch devices and discovered an additional 38 WAAS devices from that Arrow project were missing, the SEC determined.
The commission also noted that the devices had been equipped with encryption capabilities but Morgan Stanley staff failed to activate the encryption software until 2018. Because of a software flaw, pre-2018 data remained unencrypted on the missing devices.
Shortly after MSSB disclosed the incidents to customers in mid-2020, customers began suing. By the end of the year, several class-action lawsuits had been filed against the company, with the judiciary consolidating them into one case. In November 2021, the parties reached a settlement in principle. The settlement, which affects over 15 million current and former MSSB customers, received final approval from a federal judge on Aug. 5, 2022.
As part of the terms of the deal, MSSB has deposited $60 million into a fund that will pay for two years of fraud monitoring and insurance for affected customers, up to $10,000 each to reimburse customers’ for any costs related to data loss, and up to $100 in reimbursement each for lost time, in addition to covering plaintiffs’ attorney fees and costs.
Separately, MSSB will pay another $8.2 million for the class-action settlement administration and notices to affected parties.
For the next year, the company is also paying a forensic investigations firm called Kroll, Inc. to try to track down lost devices, and the parties will submit a quarterly report to the court updating the judge on their progress. A declaration submitted to court by a legal expert working with the plaintiffs noted that they negotiated the requirement that MSSB hire Kroll after learning one of the company’s decommissioned IT assets had recently been purchased on the internet.
“Morgan Stanley has also agreed to maintain business practice changes related to data security and to engage Kroll at its additional expense in an effort to locate and retrieve additional IT devices, which is significant in that it provides further protection from future potential harm for Class Members,” according to a motion to approve the settlement.
A spokesperson for MSSB did not respond to an E-Scrap News request for an interview but sent a written response that mirrored previous statements from the company emphasizing that the company knows of no misuse of compromised customer data.
This story has been updated with information about Arrow Electronics’ role in Morgan Stanley’s 2019 wide-area application services (WAAS) device refresh project.
More stories about courts/lawsuits
- Millions of dollars move as Ohio CRT case winds down
- Judge orders five years probation in CRT case
- Suit targets Closed Loop CRT suppliers in Arizona