Morgan Stanley Smith Barney has admitted that CDs containing unencrypted information of 34,000 customers have been lost.
The information related to tax and were lost in transit to the New York State department of taxation and finance, according to Bloomberg. Those affected were notified last month and were told that the information contained some clients' account numbers and social security numbers, as well as interest earned on tax-exempt bonds and funds.
Morgan Stanley spokesperson Jim Wiggins said: “We've seen no evidence of criminal intent or actual misuse of this information. We were informed that the package appeared to be intact when it was received at the department, but when it was delivered internally to the intended recipient, the CDs were not there.”
A further joint search with the taxation department and the US postal service also failed to locate the CDs.
Chris McIntosh, CEO of ViaSat UK, said: “Disks are notoriously easy to lose and so every precaution must be taken to safeguard against accidental loss, especially when they include details such as social security and account numbers. The important lesson is that the value of information stored on these disks potentially runs into the hundreds of thousands of dollars, and it would have cost proportionately very little to either encrypt the data stored on these disks, or alternatively use an even more secure storage medium such as a fully encrypted USB drive.
“Although Morgan Stanley has declared they are exploring how to improve the security of data transmissions, they should have already been encrypting information as standard. Large companies like this need to take more measures to protect information otherwise they risk losing out both in terms of retaining customers and reputation, let alone any fines or other penalties that may still be to come.”
Mohan Koo, managing director of Dtex Systems, said that he believed this to be a sign that financial services organisations have the wrong attitude to securing client data, as despite investment in complex security, they are taking their eye off basic security when moving data around.
He said: “The recent announcement by Morgan Stanley should worry a lot of people. Not just because it's the next in a long line of data slip-ups and not just because it was so easy to avoid, but because it is a demonstration that financial services organisations are not watching what happens inside their systems as closely as they should.
“Of all the industries involved in handling personal data, organisations in the finance space should have total visibility of how data is moved and handled by their teams because the information they carry offers the greatest potential threat to people's money.
“This incident should be a wake-up call for all financial services organisations that if they don't know what their users are doing with data and cannot detect when proper security practices are being bypassed, then they will not be trusted to handle valuable personal financial information.”