The U.S. Securities and Exchange Commission has agreed to settle charges against Morgan Stanley Smith Barney (MSSB) for its “astonishing” failure to protect the personal identifying information of some 15 million customers.
MSSB, now known as Morgan Stanley Wealth Management, is the wealth and asset management division of banking giant Morgan Stanley, which this week agreed to pay $35 million to settle allegations that it failed to properly dispose of hard drives and servers containing its customers’ personal data over a five-year period as far back as 2015.
Morgan Stanley hired a moving and storage company with “no experience or expertise in data destruction services,” according to the SEC and failed to properly monitor the moving company’s work. Some of the hard drives were later found on an internet auction site with customers’ personal data still stored within.
“While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices,” the SEC said in a statement.
The SEC also alleged that Morgan Stanley lost track of 42 servers that potentially contained unencrypted customer data when it decommissioned local office and branch servers as part of a hardware refresh program. The regulator added that, during this process, MSSB learned that the local devices being decommissioned had been equipped with encryption capability but had failed to activate the encryption software.
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” said Gurbir S. Grewal, director of the SEC’s Enforcement Division. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”
In a statement given to TechCrunch, Morgan Stanley didn’t admit or deny the findings but said it is “pleased to be resolving this matter.”
“We have previously notified applicable clients regarding these matters, which occurred several years ago and have not detected any unauthorized access to, or misuse of, personal client information,” said Susan Siering, a spokesperson for Morgan Stanley.
News of the SEC’s fine comes after Morgan Stanley was caught up in a data breach last year as a result of the Accellion hack. The investment banking firm — no stranger to data breaches — admitted that attackers stole personal information of its customers by hacking into an Accellion server of a third-party vendor, which it uses for file-sharing and transfers.