Anna Delaney: Morgan Stanley's hard drive destruction investment failure and what is the future of ransomware. These stories and more on this week's ISMG Security Report. Hello, I'm Anna Delaney. Morgan Stanley this week agreed to pay a $35 million fine to the U.S. Securities and Exchange Commission, which charged the banking giant with perpetrating numerous data protection mishaps over a five-year period. In particular, the bank has been charged with failing to properly decommission numerous hard drives. Joining me to discuss is Mathew Schwartz, executive editor for DataBreachToday and Europe. Matt, this seems like an old school data breach.
Mathew Schwartz: The words data breach conjures images of hackers remotely accessing corporate networks, dumping databases and selling stolen personal details in the dark web. But in the old days, many data breaches traced to physical culprits such as hard drives that hadn't been erased or destroyed, or printouts of people's personal information or lost laptops. For the past two decades, however, businesses have gotten a lot better at combating these things, driven in no small part by regulations. Today, they're a lot less likely to leave paper copies laying around, which has led to a sharp decline in the effectiveness of dumpster diving, to combat lost or stolen laptops containing people's personally identifiable information or PII. From leading that information being exposed, organizations now will typically encrypt all systems when they're at rest. And they oftentimes block external storage devices, or at least require them to be encrypted before you're allowed to copy any information onto them. And for retiring hard drives, there are now firms that will show up at your premises and destroy them for you using mobile destruction equipment. They'll document everything they're doing, including the serial numbers of the devices they've destroyed, so you can prove what you've done to regulators.
Delaney: And yet, according to the SEC's charges, Morgan Stanley chose to use a moving and storage firm to decommission hard drives and backup dates.
Schwartz: Not just a moving firm but only a moving firm. The SEC says it's charging document. And this resulted as well in the exposure of information pertaining to 15 million customers. So, your next question, and it might be where did it all go wrong for Morgan Stanley? Well, one of the ways they went wrong was the firm signing a contract with this moving company that promised to work with a third party e-waste management company that would have wiped the hard drives. But evidently, the moving company found it more profitable to sell the equipment without having to get it wiped, and eventually managed to shift inventory that included at least 1000 hard drives from RAID arrays, plus 8000 backup tapes. Now, the SEC says that if Morgan Stanley had been conducting proper oversight and due diligence, with this third-party moving firm, it would have noticed that it had lost its appetite for destruction. Instead, the banking giant failed to have the proper oversight. So, the SEC alleges - and these aren't the only allegations contained in the SEC's complaint. It documents five years of data protection mishaps resulting in at least 15 million customers' personal details, account numbers, Social Security numbers, contact information and more being exposed. Since all of this came to light, Morgan Stanley has failed to recover the vast majority of the devices that were improperly disposed of. Some of them have cropped up. There is an IT consultant in Oklahoma, who purchased a hard drive on an online auction site, found customer data, contacted Morgan Stanley and said, "Speaking as an IT consultant, I would have expected you to do better." Other hard drives have also been recovered, including 14 recovered from a downstream purchaser, the SEC says. And it's not reassuring, based on the digital forensic analysis of the drives 13 and 14 contained PII on at least 140,000 customers.
Delaney: For a firm the size of Morgan Stanley, isn't the $35 million fine just peanuts?
Schwartz: It sure seems like it. If you look at the EU's GDPR, an organization can be fined up to 4% of its annual turnover. By my calculations, Morgan Stanley here has been fined .06% of its net revenue for 2021. So we're not talking about some fierce slap on the wrist here. Now this isn't the only financial sanction to hit Morgan Stanley over various alleged data protection failings over a five-year period. In July 2020, Morgan Stanley had notified the 15 million affected customers that their data had likely been exposed. This triggered a class action lawsuit, which the bank settled in January for $60 million. Separately, there were two data center decommissioning in 2016 that apparently didn't go well, from a data protection standpoint. And the Department of the Treasury's Office of Comptroller of the Currency in 2020 slapped the bank with a $60 million fine. Again, seems like peanuts, doesn't it? If there's a bright light in all this, it's that the SEC orders Morgan Stanley to cease and desist from violating certain regulations, specifically regulation S-P rules 30(a) and 30(b), which require the firm to adopt written policies and procedures that address administrative technical and physical safeguards for the protection of customer records and information. The SEC has charged Morgan Stanley with failing to have written policies in place. If you don't have written policies, you can't enforce them. And this has led to so many of the alleged problems that have been documented in the SEC's complaint. If Morgan Stanley, which has neither confirmed nor denied the allegations, it's just agreed to pay a fine. If Morgan Stanley doesn't comply with the order, then the SEC can bring out the big guns: criminal contempt proceedings, and these can result in fines, incarceration for senior executives - wouldn't look good with it - or both. So either Morgan Stanley gets its Data Protection Act in order or can see its executives go to jail. I suspect the right incentives are in place for Morgan Stanley to be investing in this customer data protection it should have been doing for years.
Delaney: As always, appreciate your insight, Matt. this has been great. Thank you. What is the future of ransomware? And how are criminals evolving their tactics? Michael DeBolt, chief intelligence officer at Intel 471 spoke with our executive editor Jeremy Kirk about some of the latest trends, and why ransomware isn't going away anytime soon.
Jeremy Kirk: What is the future of ransomware? And is it going to continue with the same intensity of the last few years? There are many moving parts to this question. There's increased government pressure, the war in Ukraine and the effect of big attacks that have drawn massive attention to cyber criminals' actions. Michael DeBolt is chief intelligence officer with Intel 471, which is the cybercrime intelligence firm. He says that the future of this crime is hard to predict, but it's probably not going anywhere soon.
Michael DeBolt: And when I think about this, I think some of the reasons why we're seeing this very slight decline - organizations are getting better at detecting the precursors to ransomware attacks, using the external threat intelligence to understand what the actors are doing. And that helps them steer detection and it creates a high degree of readiness for them. Also, backups are being better utilized than ever before, pre-war, U.S.-led sanctions against some of these cryptocurrency exchanges. The classification of ransomware as a national security threat by the U.S. has caused some pain points, where it hurts actors. And that's in the money bag. That being said, I think we need to be careful because overall, we say decline. But the downward side of a mountain is still a mountain.
Kirk: There are also thoughts that cybercriminals may do away with the encryption aspect of the ransomware extortion model. Most ransomware groups steal sensitive data and then encrypt it. That way, if organizations don't pay to get the decryption keys, they still have them over a barrel by threatening to dump the data. The pure data extortion scheme has advantages since you don't have to mount a large malware attack. Also, threatening to dump the data makes having good backups irrelevant. So could this model overtake encryption?
DeBolt: I think it's very likely, we'll see more of what I would call pure play data extortion attacks, no encryption needed. I'm not sure that we'll see an equal decline in traditional encryption-based ransomware extortion as well. I don't think it's as simple or straightforward as that. What we do know is that the evolution of initial access brokers as a sub-industry within this cybercrime underground. And you couple that with organizations getting better at countering traditional encryption-based ransomware attacks has paved this way for pure play data extortion to rise to the top as the most prominent type of extortion attacks in the future. That's not to say that traditional encryption-based ransomware is ... we're going to see a huge decline there.
Kirk: Other question is whether we're seeing yet the fruits of government efforts against ransomware. Countries, including the U.S., U.K. and Australia, are working together to deter ransomware actors. That includes close monitoring of cryptocurrency exchanges, and even sometimes offensive action. Michael says the efforts are being noticed by the cyber criminal community.
DeBolt: The reverberations within the cybercrime underground, where you see a lot of the manifestation of these actors talking about these things, I have seen them back up on their heels a little bit, because, you hit them where it hurts, which is the purse strings. In this case, it's manifested as sanctioning these cryptocurrency exchanges, where we see a lot of these funds getting pushed and pulled through, that's going to hurt them. So, anything that we can do to disrupt these actors, and it might not be something that we necessarily see in the headlines, but it's something that they're dealing with, and that having to rejig how they process funds from a victim is going to be helpful to disrupt the individual operator or put doubt in the minds of operators within the ransomware landscape. So we're seeing some of that. Is it moving the needle to the point where we're seeing ransomware decline as the major overarching threat of the day? I don't think so. But that's not to say that the sanctions are not having an impact, or the progress that the governments have made are not impactful. They are, and we should continue to take it seriously.
Kirk: The risk reward payoff for ransomware is still in favor of the cyber criminals.
DeBolt: There has never been a crime type, an online crime type, in the past that have made instant millionaires like ransomware has. So there's that intrigue and that attraction that actors still have for ransomware. And it's going to remain status quo for quite some time. We need to be aware of that.
Kirk: For Information Security Media Group. I'm Jeremy Kirk.
Delaney: And finally, Software Point of Sale or SoftPOS is a groundbreaking technology, which allows businesses to accept card payments directly on their devices, without requiring any additional software. However, as this new payment method gains widespread international adoption, what does this mean for the security of our payment systems? On our latest episode of Sound Off, I asked that very question to Troy Leach, previously CTO of the PCI Security Standards Council and now chief strategy officer at Cloud Security Alliance. Here's what he said.
Troy Leach: Part of it gets down to the philosophy. So, what's been around for about 10 years, but gaining traction right now is the philosophy of zero trust. And so, having this approach, where we need to isolate down to what we're trying to protect, having smart identification of that edge and the protection surface that we're trying to guard and then having the right access controls. And going forward, we're going to see a need for higher levels of multi-factor authentication, we're going to see a need for better monitoring and understanding, and being able to demonstrate that. One of the things I like that the non-profit cloud security lines did is they created a framework that maps to 39-40 different frameworks that exist for different financial security protections. So, PCI, some of the Sarbanes Oxley, GDPR, all of these can map back to a basic framework. And from there, then you can start to test and demonstrate that what you're doing is actually going to meet and to hear to not just one or two or three, but possibly 18-20 different types of local legislation, because that's the other thing that's happening right now is we start to see in the last several years, a splintering of what is good enough payments security, so many of these states here in the U.S., I think 38 states have incorporated some form of new cybersecurity laws in the last two years, we start to see data localization, where countries like India have submitted bills. They just recently in July withdrew a bill about how sovereign the data needs to be in India, we see China, Russia and other countries, even Europe starting to explore data localization. So all of these are going to play a part in how successful and innovative we can be if you have to be just very acute of where that data is going to transition.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time.
