The Anatomy of a Data Breach: CyberCrunch September Newsletter

Joe ConnorsNewsletter

By Joe Connors, V.P. Business Development

In this month’s newsletter, we’ll take a deep dive into the 2016 Morgan Stanley data breach. New details just released shed light on how a series of ITAD mistakes led to numerous multi-million dollar lawsuits. We’ll discuss the lessons learned and what you need to know to keep your data safe when disposing of old equipment.

Executive Summary: The three lessons that business and IT decision makers can learn from this incident are:

  • Use Reputable and Certified ITAD Vendors who have the skills and experience to protect your data.
  • Scrutinize the Paper Trail including contracts, subcontracts, and certificates of destruction.
  • Take Responsibility For Your Data by safeguarding it from installation to disposal.

The Anatomy of a Data Breach: Inside the Morgan Stanley ITAD Incident

In July 2020, Morgan Stanley alerted clients that their personal data may have been leaked as a result of two separate incidents in 2016 and 2019 involving the decommissioning of data center hardware. Shortly thereafter, the financial giant was slapped with eight lawsuits alleging negligence in how they handled client data. And in October 2020, the firm was fined $60 million by the U.S. Treasury Department for “failure to exercise proper oversight of the 2016 decommissioning of two Wealth Management business data centers located in the U.S.” and a lack of “adequate due diligence in selecting a vendor and monitoring its performance.”

While the disclosure and fine gave us a glimpse into Morgan Stanley’s missteps, it was only on August 9 of this year that the company finally responded to the lawsuits, which have been consolidated into one case in the Southern District of New York.

Data Discovered on Decommissioned Devices

In October 2017, an IT consultant in Oklahoma discovered Morgan Stanley data on used hard drives that he had purchased from ITAD vendor KruseCom. He then contacted Morgan Stanley’s IT department, who took steps to recover the drives.

During this investigation, Morgan Stanley confirmed that the drives came from the decommissioned data center and notified clients of the potential breach.

In a separate incident in 2019, Morgan Stanley upgraded “wide area application services” devices in 500 local branch offices. They stated that “a small number” of those devices are unaccounted for and may contain confidential information. No third party vendor was implicated in the 2019 incident.

Vendors Blamed for Breach

In Morgan Stanley’s legal filing, they identify the vendors who were contracted to decommission the data centers and dispose of the equipment.

“In 2016, Morgan Stanley decommissioned two data centers and contracted with a vendor (Triple Crown, who is not NAID AAA Certified) to remove the devices from those centers, wipe any data that the devices may have contained, and properly recycle the non-data materials,” states Morgan Stanley in the court response.

The filing goes on to claim that Triple Crown, unbeknownst to Morgan Stanley, sold the devices to another vendor, New Jersey-based ITAD firm AnythingIT, who in turn resold the devices to KruseCom — who ultimately either destroyed the drives or resold them online.

Morgan Stanley claims that Triple Crown fraudulently claimed to have destroyed the devices, even billing the company for data destruction services and supplying “certificates of indemnification” rather than certificates of destruction.

It is unclear whether Morgan Stanley intends to take any legal action against Triple Crown or the other vendors, none of whom were named as defendants in these cases. For their part, AnythingIT told ITAD trade publication E-Scrap News that they were “never contracted or required to perform data wiping or destruction on any equipment involved with this case,” and that they simply purchased the decommissioned equipment from Triple Crown and resold it. Triple Crown has not yet commented on the case.

ITAD Lessons for All

The Morgan Stanley incident contains lessons for any business or IT decisionmaker about how to handle asset disposition, especially when sensitive information may be involved. Consider these three lessons: 

Use Reputable Vendors With the Right Capabilities

In all of the legal filings and extensive media reporting about this case, the identity of the original vendor, Triple Crown, remains somewhat of a mystery. A technology company by that name does not appear to specialize in ITAD or data destruction, but rather “data center consulting” and networking services. This left Morgan Stanley without the support needed to properly handle the data stored on their decommissioned devices, and created a complicated web of subcontractors without clearly defined responsibilities.

Whether you need routine e-waste disposal or are undertaking a major decommissioning project, choose a vendor with the expertise and experience to keep you protected. Using a NAID AAA Certified provider gives you extra confidence in the processes they use to keep your data from falling into the wrong hands.

Scrutinize the Paperwork

Morgan Stanley claims that they were given “certificates of indemnification” that Triple Crown falsely described as certificates of destruction. However, it was still Morgan Stanley’s responsibility to catch this discrepancy and take action to clarify things.

If you aren’t sure about the documentation your vendor provides, be sure to ask questions, or even get a second opinion from another vendor, an internal resource, or even legal counsel. As CyberCrunch President Serdar Bankaci is fond of saying, “Data destruction is only half the process — the other half is the documentation. The documentation is just as important as the actual destruction.” Having clear and complete documentation of data destruction will protect you from lawsuits and penalties if questions arise.

You Are Responsible for Your Data

Though Morgan Stanley would like to blame the actions of their vendor for this data breach, the responsibility — and financial and reputational consequences — ultimately fall to them. They have already paid a $60 million fine to the U.S. government, and are now involved in a lengthy litigation process that will take years to settle.

The data that your customers, partners and employees entrust to you is your responsibility, so it is up to you to keep it from falling into the wrong hands.

If you have questions about your data destruction process, contact CyberCrunch today for a free consultation. We can help you make sure that your data won’t end up on the loose with our comprehensive, certified ITAD processes and data destruction technology.

Click here to speak with us today.