Morgan Stanley customer data left on decommissioned servers

US bank Morgan Stanley has posted letters to an unknown amount of customers, notifying them of potential data breaches involving sensitive personal information left on servers and storage sent to recyclers and on an encrypted drive lost at a branch office.

A copy of the letter was posted on Twitter by security researcher Dan Tentler of Phobos Group.

The letter is dated July 9 this year US time, and describes an incident in 2016 when Morgan Stanley closed two data centres and decommissioned the equipment in both of them.

"As is customary, we contracted with a vendor to remove the data from the devices," the letter reads.

"We subsequently learned that certain devices believed to have been wiped of all information still contained some data." 

'hi, we got hacked because we didnt bother checking to see if we actually follow our own policies, and some of your data was stolen. all the shit an attacker would need to commit shitloads of fraud and identity theft, but dont worry, not your passwords'. pic.twitter.com/KDarKLmmPc

— D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ (@Viss) July 30, 2020

In a separate incident three years later, the bank said it disconnected and replaced a computer server at an unnamed Morgan Stanley branch office.

The server had data that may have included personal information stored on encrypted disks, and the device was lost by Morgan Stanley.

Some of the information on the server storage could be readable, Morgan Stanley advised.

"The manufacturers subsequently informed us of software flaw that could have resulted in small amounts of previously deleted information data remaining on the disks in unencrypted form," the bank said.

The personal information in the data breach could comprise account names and numbers at Morgan Stanley and any linked bank accounts, US social security numbers, passport numbers, contact data, dates of birth, as well as asset value and holdings data.

However, the amount of customers involved in the data breach was not disclosed by the bank.

Morgan Stanley said the data did not contain the bank's online services passwords, and that it is not aware of any access to or misuse of the personal information left on the devices.

Nevertheless, as there is a possibility of misuse of the breached sensitive personal information, Morgan Stanley is now offering two years' worth of credit monitoring and fraud detection to customers for free.

A similar privacy lapse also occurred in 2016, when the Commonwealth Bank admitted subcontractor Fuji Xerox lost two magnetic back up tapes sent to be destroyed.

The tapes contained data on 19.8 million customers, and were not found after being lost.