iTnews

Morgan Stanley customer data left on decommissioned servers

By Juha Saarinen on Jul 31, 2020 9:35AM
Morgan Stanley customer data left on decommissioned servers

Offers two years' worth of credit reporting and fraud detection.

US bank Morgan Stanley has posted letters to an unknown amount of customers, notifying them of potential data breaches involving sensitive personal information left on servers and storage sent to recyclers and on an encrypted drive lost at a branch office.

A copy of the letter was posted on Twitter by security researcher Dan Tentler of Phobos Group.

The letter is dated July 9 this year US time, and describes an incident in 2016 when Morgan Stanley closed two data centres and decommissioned the equipment in both of them.

"As is customary, we contracted with a vendor to remove the data from the devices," the letter reads.

"We subsequently learned that certain devices believed to have been wiped of all information still contained some data." 

'hi, we got hacked because we didnt bother checking to see if we actually follow our own policies, and some of your data was stolen. all the shit an attacker would need to commit shitloads of fraud and identity theft, but dont worry, not your passwords'. pic.twitter.com/KDarKLmmPc

— D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ (@Viss) July 30, 2020

In a separate incident three years later, the bank said it disconnected and replaced a computer server at an unnamed Morgan Stanley branch office.

The server had data that may have included personal information stored on encrypted disks, and the device was lost by Morgan Stanley.

Some of the information on the server storage could be readable, Morgan Stanley advised.

"The manufacturers subsequently informed us of software flaw that could have resulted in small amounts of previously deleted information data remaining on the disks in unencrypted form," the bank said.

The personal information in the data breach could comprise account names and numbers at Morgan Stanley and any linked bank accounts, US social security numbers, passport numbers, contact data, dates of birth, as well as asset value and holdings data.

However, the amount of customers involved in the data breach was not disclosed by the bank.

Morgan Stanley said the data did not contain the bank's online services passwords, and that it is not aware of any access to or misuse of the personal information left on the devices.

Nevertheless, as there is a possibility of misuse of the breached sensitive personal information, Morgan Stanley is now offering two years' worth of credit monitoring and fraud detection to customers for free.

A similar privacy lapse also occurred in 2016, when the Commonwealth Bank admitted subcontractor Fuji Xerox lost two magnetic back up tapes sent to be destroyed.

The tapes contained data on 19.8 million customers, and were not found after being lost.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
cbafinancemorgan stanleyprivacysecurity

Partner Content

Vast majority of surveyed firms still rely on password authentication
Promoted Content Vast majority of surveyed firms still rely on password authentication
Tick off the ransomware bandits
Promoted Content Tick off the ransomware bandits
The case for postponing mainframe migration has eroded
Partner Content The case for postponing mainframe migration has eroded
5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Juha Saarinen
Jul 31 2020
9:35AM
0 Comments

Related Articles

  • CBA to add more behavioural biometrics
  • ANZ fears privacy reforms could lead to increased surveillance
  • CBA, NAB alarmed at plan for arm's length sharing of bank data
  • CBA sets up Group Security division to bridge physical, infosec domains
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Kmart Australia stands up consent-as-a-service platform

Kmart Australia stands up consent-as-a-service platform

NSW digital driver's licences 'easily forgeable'

NSW digital driver's licences 'easily forgeable'

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

Digital Nation

Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.