The US Securities and Exchange Commission has agreed to settle the charges against Morgan Stanley Smith Barney (MSSB) for “astonishing” failure to protect the personal identification information of some 15 million customers.
MSSB, now known as Morgan Stanley Wealth Management, is the wealth and wealth management division of banking giant Morgan Stanley, which this week agreed to pay $35 million to settle allegations that it did not properly dispose of hard drives and servers that contain the personal data of its customers. data over a five-year period as early as 2015.
Morgan Stanley hired a moving and storage company with “no experience or expertise in data destruction services,” according to the SEC, and failed to properly audit the moving company’s work. Some hard drives were later found on an internet auction site with customers’ personal information still stored in them.
“While MSSB has recovered some devices that have been shown to contain thousands of unencrypted customer data, the company has not recovered the vast majority of the devices,” the SEC said. said in a statement.
The SEC also alleged that Morgan Stanley lost track of 42 servers that may contain unencrypted customer data when it dismantled local office and branch servers as part of a hardware refresh program. The regulator added that during the process, MSSB discovered that the local devices that were decommissioned were equipped with encryption capabilities, but had not activated the encryption software.
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB has failed miserably in this regard,” said Gurbir S. Grewal, director of the SEC’s enforcement division. “If this sensitive information is not properly secured, it could fall into the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take their obligation to protect such data seriously.”
In a statement to londonbusinessblog.com, Morgan Stanley did not admit or deny the findings, but said it is “glad to resolve this matter.”
“We have previously notified applicable customers of these matters, which occurred several years ago, and have not discovered any unauthorized access or misuse of personal customer information,” said Susan Siering, a Morgan Stanley spokesperson.
The news of the SEC’s fine comes after Morgan Stanley became entangled in a data breach last year as a result of the Accellion hack. The investment banking business — no stranger to data breaches — admitted that attackers stole personal information from its customers by hacking into an Accellion server, which it uses for file sharing and transferring. from a third party.