US regulators have fined Morgan Stanley $35 million for its “outrageous” failure to protect customer data, which led to some computers containing sensitive customer data being auctioned off on the Internet.
The US Securities and Exchange Commission said Tuesday that Wall Street’s wealth management business failed to protect information that identifies about 15 million clients over a five-year period.
Since at least 2015, the bank, which agreed to settle the charges without admitting or denying the charges, has failed to properly dispose of devices that store personal customer data, according to the Securities and Exchange Commission.
The agency said Morgan Stanley had hired a carrier that did not specialize in discarding data and tasked it with disabling thousands of servers and hard drives.
The relocated company later sold thousands of bank machines, some of which contained customer data, to a third party before eventually reselling them on an online auction site. The SEC said the bank had recovered some, but not most, equipment.
Authorities also found that Morgan Stanley failed to protect customer data while shutting down some servers on its network. During this procedure, the bank realized that 42 servers that may have stored unencrypted personal information of customers are missing.
We are happy to resolve this issue. “We have previously notified relevant customers about these matters, which occurred several years ago, and have not detected any unauthorized access to or misuse of customer personal information,” Morgan Stanley said in a statement.
The SEC’s director of enforcement, Gurbert Grewal, described Morgan Stanley’s failures as “amazing.”
“Today’s action sends a clear message to financial institutions that they must take seriously their obligation to protect such data,” Grewal said in a statement.
The penalty is far greater than the $1 million fine the wealth management firm agreed to pay to the Securities and Exchange Commission in 2016 for a similar offense. The same department also reached a settlement in a class action lawsuit over data breaches, a decision that included the creation of a $60 million fund to compensate victims.
Morgan Stanley acquired a majority stake in Smith Barney wealth management firm Citigroup in 2009 before completing a full takeover in 2012.
The division formed a cornerstone of Morgan Stanley’s drive to manage wealth and its efforts to reduce its dependence on investment banking and trading.
The move against Morgan Stanley comes as the Securities and Exchange Commission increases scrutiny of Wall Street’s record-keeping practices. The agency has launched an investigation into the telecom hoarding that has spread across the banking sector, as lenders prepare to pay more than $1 billion in fines to the Securities and Exchange Commission and the Commodity Futures Trading Commission.
JPMorgan agreed in December to pay US regulators $200 million for failing to keep records of employees’ communications on personal devices.
#Morgan #Stanleys #sensitive #devices #auctioned #online #SEC