Morgan Stanley Lawsuit: What It Says About Data Centre Security

Security is non-negotiable in the data centre arena. Unfortunately, security breaches are all too common in the modern world. Now, a security-related lawsuit filed against Morgan Stanley some two years ago looks like it may be heading for settlement – to the tune of some $60 million.  The settlement notwithstanding, there is an important lesson to be learned here.

We often talk about data security in terms of active servers and networks.  Data centres harden themselves against attacks of all kinds but, in the Morgan Stanley case, the data in question was not hosted by an active data centre.  The data centre had actually been decommissioned.  Furthermore, some of the data was stored on devices that had since been replaced by numerous Morgan Stanley branch locations.

Data Goes Forgotten

According to a January 3, 2022 report from Bloomberg, Morgan Stanley had decommissioned a data centre back in 2020.  Such actions are not uncommon however the problem was this: servers containing personal information belonging to some fifteen million current and former clients was forgotten.  This data remained on the servers even after the data centre was no longer active.  No one thought to wipe the servers clean.

In addition, outdated equipment that had been utilised at some Morgan Stanley branch locations was also not wiped clean when replaced.  All of that is serious enough; unfortunately, it gets worse.  Some of the equipment with its data still intact went missing.

The hardware included information like names, addresses, Social Security numbers and birth dates.  Some of the hardware wasn't even encrypted.  Anyone who had managed to obtain one of the old Morgan Stanley hard drives would have access to a treasure trove of sensitive information.

You Can't Be Too Secure

So what is the lesson here?  No data centre can ever be too secure.  It is absolutely imperative to defend against any and all attacks mounted against active networks.  It is equally imperative to maintain the utmost security on all data storage devices but the need for security doesn't end when equipment is decommissioned or replaced.  Security breaches involving decommissioned equipment are just as possible – and just as dangerous.

Not only should the decommissioned Morgan Stanley equipment have been wiped clean, but it should also have been given the once over by data security specialists to make sure that absolutely no data could be recovered.  To decommission an entire data centre and simply forget about the equipment is unfathomable.

To their credit, Morgan Stanley did contact all the affected clients to let them know what had happened.  By way of the settlement, they have also agreed to pay significant damages but all of this is after the fact and things never should have got this far.

Whatever It Takes

Data centres of all types and sizes have an obligation to do whatever it takes to guarantee data security.  In the Morgan Stanley case, we are talking about a security breach that was so easy to prevent.  There is nothing complicated about wiping hard drives clean and then tracking where they go and, if Morgan Stanley IT experts had any doubts, they could have simply destroyed the equipment altogether.

As an industry, let us not get so wrapped up in high-tech security solutions that we forget the simple things.  Dealing with decommissioned equipment doesn't take a high-tech solution.  It doesn't take any complicated software or special engineering knowledge.  Unfortunately, it is often the simplest security measures that fall by the wayside, probably because we take them for granted.  Morgan Stanley has learned the hard way unfortunately.  Let’s hope that some other companies learn from this situation and some good can come out of it.