Securities regulators are fining Morgan Stanley $35 million after its wealth management division failed to protect the personal information of 15 million customers.
Morgan Stanley Smith Barney staff had been saving customer data on company-managed computer servers and hard drives since 2015, the Securities and Exchange Commission. said Tuesday. The investment bank in 2016 hired a moving and storage company with no experience in data destruction to remove the data from the devices, according to the agency.
However, the unnamed mover did not wipe the data from the servers and hard drives deeply enough, according to the SEC. The company later resold about 4,900 Morgan Stanley devices. some of which still had customer data, the regulator said.
Morgan Stanley did not learn what had happened until late 2017, when an information technology consultant in Oklahoma bought some of the company’s old equipment and told the bank that he had discovered some of its data, the SEC said.
“You’re a major financial institution and you should follow some very strict guidelines on how to deal with hardware recalls or at least get some sort of data destruction verification from vendors you sell equipment to,” the statement said. SEC according to the agency. documents.
In a statement, SEC Chief Compliance Officer Gurbir Grewal called Morgan Stanley’s failure to protect customer data “staggering.”
“If not properly protected, this sensitive information can end up in the wrong hands and have disastrous consequences for investors,” Grewal said.
The SEC said Morgan Stanley Smith Barney recovered some of the old equipment, but most of the devices have yet to be found.
A Morgan Stanley spokesman said the company is “delighted to resolve this matter.”
“We have previously notified appropriate customers of these matters, which occurred several years ago, and have not detected any unauthorized access to or misuse of customer personal information,” the spokesperson said in a statement to CBS MoneyWatch.
Morgan Stanley also failed to protect customer data in 2019 during a routine swap of old computer equipment, regulators said. During the proceeding, the company attempted to delete customer data from 500 servers at local branches, but misplaced 42 of the servers that contained private customer information, the SEC said.
The remaining servers had encryption protections to protect customer data, but Morgan Stanley staff hadn’t activated the software for years, the SEC said.