US federal regulators accused Morgan Stanley on Tuesday of “surprising” failures that led to the mishandling of confidential data for about 15 million customers.
Morgan Stanley received a $35 million fine from the Securities and Exchange Commission (SEC) for extensive failure to protect its customers’ personally identifiable information.
Since at least 2015, Morgan Stanley has not properly disposed of devices that contained sensitive customer data, as per the agreement.
In an episode described by the SEC, Morgan Stanley hired a moving company — one that had “no experience or expertise” in data destruction — to decommission thousands of hard drives and servers that store customer data.
That moving company later sold thousands of Morgan Stanley devices, some of which contained personally identifiable information, to third parties, the SEC said.
Those devices were eventually resold on an Internet auction site — without removing the sensitive data, according to the agreement.
Morgan Stanley was able to recover some of these devices, which contained “thousands of unencrypted customer data,” the SEC said.
“The company has not recovered the vast majority of the devices,” according to the agreement.
“Morgan Stanley’s failures in this case are staggering,” Gurbir Grewal, director of the SEC’s enforcement division, said in a statement.
“If not properly protected, this confidential information could end up in the wrong hands and have disastrous consequences for investors.”
In addition to hard servers and drivers, the SEC found that Morgan Stanley failed to protect customer data and properly dispose of consumer reporting information in other ways, including when the company shut down local and branch servers.
The settlement said an analysis by Morgan Stanley found that 42 servers, all potentially containing unencrypted data and consumer reporting information, were “missing”.
Morgan Stanley agreed to pay the fine without admitting or denying the settlement’s conclusions.
In a statement, Morgan Stanley said it was pleased to have resolved this issue and expressed confidence that no sensitive data had been exploited.
“We have already notified applicable customers of these matters, which have been occurring for several years, and we have not detected any unauthorized access or misuse of customer personal information,” Morgan Stanley said in a statement.
Source: CNN Brasil
Joe Jameson, a technology journalist with over 2 years of experience, writes for top online news websites. Specializing in the field of technology, Joe provides insights into the latest advancements in the industry. Currently, he contributes to covering the world stock market.
