Morgan Stanley settles data breach for $6.5M

SecurityWeek reports that Morgan Stanley has been imposed a $6.5 million fine for its failure to properly remove unencrypted data from decommissioned devices that may have exposed millions of customers' sensitive information. Investigation into the financial services firm revealed that thousands of hard drives with customer data had been decommissioned through a moving company without any expertise in destroying data, while another decommissioning process saw unencrypted data from 42 missing servers, which stemmed from an encryption software vulnerability. Morgan Stanley was also found to have a lack of asset inventories and vendor controls. Aside from monetary settlement to be distributed to Florida, New York, Connecticut, New Jersey, Indiana, and Vermont, Morgan Stanley has also been required to bolster personal data protections by ensuring data encryption at rest and in transit, adopting a policy for data collection, use, retention, and disposal, and implementing systems for monitoring hardware with personal data, as well as establishing an incident response plan, information security program, and vendor risk evaluation team.