Morgan Stanley Data Breach – Lessons to be Learned

September 27th, 2022: CyberHoot has been reading about the 35 million dollar fine issued to Morgan Stanley (MS) for the breach of 15 million customers’ private data. You see, MS had a lot of surplus equipment.  So much so, that it hired a 3rd party to destroy or cleanse and resell its used equipment.  Turns out the 3rd party sold equipment to another 3rd party who did not follow the secure destruction protocols MS had required in the initial contract and eBay purchasers discovered and reported the data to MS.  Eventually the SEC found out, investigated and issued the fine in Sept 2022.

Lessons to learn

There are many lessons to be learned from this by all manner of businesses from 3rd party risk management, to effective contract controls, to appropriate data destruction processes.  Many areas of risk combined here to lead to a terrible outcome for 15 million MS clients.

3rd Party Risk Management Programs

Many SMBs and MSPs rely on 3rd parties for services and products.  Last year, thousands of business were impacted enormously by a software vendors poor security and widescale breach of their product (Solarwinds).  This put thousands of enterprises at risk and led to many additional breaches.  The lesson learned here is you may trust your vendors, but verify their security measures and controls.

Breaches Happen to MSP/SMB Vendors Too

Before you dismiss this advice because Solarwinds was largely an enterprise software event, CyberHoot reminds you that Kasaya had a nasty ransomware breach last year which led to the encryption of many of its customers data.  How many MSPs or SMBs have any sort of 3rd party risk management program?  Let’s simplify that question to the reality on the ground.  How many SMBs and MSPs even know or track all the 3rd party vendors they rely on to run their business?  Given that CyberHoot has rarely been asked about our security and we supply Awareness Training, Phish Testing, and Governance Policy services to tens of thousands of users globally, and we are confident that 3rd party vendor management is severely lacking.

Contract Language Matters a Good Deal

In this instance, the fine print did not prevent 3rd Party vendor A from reselling the equipment purchased from Morgan Stanley to vendor B.  This transfer of equipment played a role in not following the contractual obligations surrounding data destruction, and made Morgan Stanley’s job of following up on the data destruction requirements very difficult. 

vCISO Tip 1: When companies you support are dealing with critical data make sure you review their contract language. Ensure contract language prevents your 3rd parties from subcontracting the work without your explicit permission.

vCISO Tip 2: Some security professionals may suggest you encrypt the data and destroy the keys instead of destroying the data.  This is a short-sighted method that CyberHoot argues against doing.  Quantum computers are around the corner and will open up a vast array of methods to break current encryption standards.  What is encrypted today could be cracked tomorrow.  It is always better to destroy the data rather than encrypt to protect its Confidentiality.

You do have a Data Retention and Destruction Policy, right?

Many SMBs struggle to get rudimentary cybersecurity policies in place.  Every SMB should have the following policies in place:

  1. Written Information Security Policy (WISP)
  2. Password Policy
  3. Acceptable Use Policy
  4. Information Handling Policy

Once an SMB or MSP has these basic policies in place, their maturity has risen to a point where they need to consider developing other policies including:

  • 3rd Party Risk Management
  • Software-as-a-Service Management Policy
  • Data Retention and Destruction Policy

The data retention and destruction policy is an adjunct to the Information Handling Policy.  They describe in minute detail the types of data a company controls, how long that data is to be kept for, and how to securely destroy the data after its useful life.  This is of vital importance when dealing with critical or sensitive company data.  Make sure you have a retention and destruction policy in place at your SMB and MSP.

What should SMB/MSPs learn from the Morgan Stanley data Breach?

At the root of this issue were three main points of failure.  While MS has not admitted fault in this matter, CyberHoot believes all business could learn three things from this breach.

1. Create, develop, and fund your 3rd party Risk Management program. 

Start by creating a list of critical 3rd parties and focus on them to begin with.  Assess their cybersecurity preparedness with a questionnaire and track results through to your satisfactory conclusion.

2. Have Cybersecurity Review your 3rd Party Contract language for Gaps.

Morgan Stanley’s data destruction policy should have prohibited the sale of equipment to other recycling vendors without first proving the data destruction process had completed.  That alone might have prevented this breach from occurring.

3. Document your Data Retention and Destruction Policy and Processes

Ensure you have prescriptions in your Information Handling Policy that call out retention and destruction requirements.  Write process documents outlining the procedures your IT resources are to follow when backing up and destroying your data.

A vCISO can Help in All Three Areas

Cybersecurity professionals are in high demand.  If you can find one, hiring them full-time is beyond the ability of most companies, no different than why you don’t hire a full-time physician or lawyer, or plumber, or electrician to assist your business.

This is where a virtual Chief Information Security Officer can help you out at a fraction of the cost of a full-time professional.  The vCISO profession has been growing and expanding rapidly over the last 5 years.  CyberHoot provides vCISO consultants to SMBs and MSPs to help them build and mature their cybersecurity programs.  Learn more about our program here.

Secure your business with CyberHoot Today!!!

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.