The Securities and Exchange Commission (SEC) has revealed Morgan Stanley has agreed to pay a $35m fine for exposing the personal information of millions of customers.
According to Security Week, the SEC said the Morgan Stanley Smith Barney wealth management business was charged over its ‘extensive failures’ over a period of five years. The company also allegedly failed to protect the personal details of rough 15 million customers.
The agency remarked that the financial services giant failed to properly dispose of hard drives and servers storing customer data.
From 2015, on multiple occasions, Morgan Stanley hired a moving and storage company to decommission thousands of devices. However, the said firm had no expertise or experience in data destruction and even sold thousands of Morgan Stanley devices to a third-party, including ones containing customer information. The devices were then resold on an auction website without the customer data being removed.
Morgan Stanley tried to get the devices back but the vast majority of them were unable to be recovered.
The SEC said the firm failed to properly secure customer information when it decommissioned local office and branch servers. The company found that 42 servers, all potentially containing unencrypted sensitive information, were missing.
The Commission also said that the firm did not admit or deny the charges, but consented to the agency’s order finding that it violated the Safeguards and Disposal Rules under Regulation S-P and agreed to pay $35m.
Earlier this year, the firm agreed to pay $200m to US regulators SEC and CFTC to resolve investigations into its record-keeping practices, according to Reuters.
Copyright © 2022 RegTech Analyst
Copyright © 2018 RegTech Analyst