Technology lifecycle management is a security imperative. In what is yet another example of a large organization overlooking this responsibility, financial services firm Morgan Stanley was hit with a $60 million class action judgment after failing to properly manage data storage equipment, resulting in a data breach. The firm had sold some machines after decommissioning a number of data centers, while other servers were transferred to a third-party; and unsecured customer data was determined to have been on the systems involved.
That penalty, announced on January 3, 2021 (pending approval by a U.S. District judge), was in addition to a $60 million fine levied by the U.S. Comptroller of the Currency in October 2020 after charging Morgan Stanley with unsound data security practices for the same incident. The personally identifiable information (PII) of as many as 15 million customers was involved. Morgan Stanley is also responsible to provide any affected customers at least two years of fraud insurance, and customers can also apply for up to $10,000 in out-of-pocket loss reimbursement associated with the breach. It’s unclear whether the data was actually unsecured, or if security could not be verified, but to regulators, it’s the same thing.
Data Security and Management is Important
It’s important to meticulously manage data—and the systems that store and move it—in order to avoid these kinds of incidents. When older technologies become obsolete, and their makers decide to end support, those systems, whether hardware or software, become vulnerable to cybercriminals who target organizations known to use those systems. The dangers were illustrated in early 2020 when vulnerabilities in an older file transfer appliance sold by Accellion were exploited by ransomware gangs. Coincidentally, Morgan Stanley was among the long list of commercial, academic, healthcare, and governmental organizations around the globe that were breached by attacks on the vulnerable appliance.
We’ve been reminding users of the need to replace the soon-to-be-obsolete RepliWeb file transfer software. Qlik, which acquired the product when it bought Attunity in 2019, announced its intent to shutter RepliWeb in August of 2020. Qlik has been open with its customers about the decision, and that RepliWeb will no longer be supported as of January 31 of this year.
The Devil is in the Details
Secure managed file transfer software is not a panacea to these kinds of security and data management issues. However, secure MFT can play an important role in a strong data security and data management program. Our Diplomat MFT platform automates the process of encrypting data before sending it to its destination, and it also automatically documents all actions taken so that files that may fall under various security and private laws can be affirmed to have been encrypted before transfer, or before being sent into storage or archive. If a security audit is necessary in the event of a breach, that simple proof can help to avoid serious financial and reputational penalties.
Often, the kinds of oversights that can result in a finding of non-compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA), Europe’s General Data Privacy Regulation (GDPR), and many other state, federal, and international laws happen because of a lack of simple technology lifecycle management, or even a reliance on do-it-yourself solutions. There are a lot of details that have to be attended to, and ignoring or overlooking them can be costly.
The DIY approach to managed file transfer looks good at first, but when you consider that solutions built in-house rarely take into consideration all of the things a professionally developed product do, the risks become evident. DIY usually lacks proper documentation, doesn’t scale, and isn’t backed by professional support and services. DIY MFT solutions are also not easy to maintain or use, and are more likely to result in an error that could put data at risk of breach.
Coviant Software has invested nearly twenty years in developing what we believe is the best MFT product on the market. Diplomat MFT has all the features you need in an MFT platform, without any of the fancy bells and whistles that add cost and little else. You can download and try Diplomat MFT for free, or request a free demonstration, to see for yourself why we—and our roster of customers from around the world and across every industry—consider Diplomat MFT to be a great value, and why they trust us to transfer millions of files reliably and securely every day.
