The Securities and Exchange Commission announced Tuesday that a Morgan Stanley subsidiary has agreed to pay $35 million to settle claims that it consistently failed to safeguard personal information for millions of clients.
Morgan Stanley Smith Barney failed to preserve personal identifying information for 15 million customers for five years, according to the SEC. The company agreed to pay the fee without admitting or contesting the conclusions of its investigation.
The firm failed to properly dispose of equipment containing sensitive information dating back to 2015, including regularly engaging a moving and storage company with no required skills to decommission thousands of hard drives and servers, according to the SEC. Those devices were eventually sold to a third party and auctioned off online with the sensitive information intact and unencrypted. Only a portion of those devices was recovered, according to the regulator.
Morgan Stanley hired a moving and storage company with “no experience or expertise in data destruction services,” according to the SEC, and failed to properly monitor the moving company’s work. Some of the hard drives were later found on an internet auction site with customers’ personal data still stored within.
“While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices,” the SEC said in a statement.
The SEC also said the firm lost track of 42 servers containing personal information when it was undergoing a hardware refresh program and failed to activate existing encryption software on those devices for years beforehand.
“MSSB’s failures, in this case, are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” Gurbir Grewal, the SEC’s enforcement director, said in a statement.
In a statement, a Morgan Stanley spokesperson said the firm was pleased to resolve the matter and had previously notified affected clients of the issues. The firm has not detected any unauthorized access or misuse of personal information, the firm added.
The SEC’s penalties come after Morgan Stanley was involved in a data breach as a result of the Accellion attack last year. The investment bank, which has a history of data breaches, revealed that attackers took personal information from its customers by hacking into an Accellion server run by a third-party vendor, which it utilizes for file-sharing and transfers.