Morgan Stanley was fined $35 million from the Securities and Exchange Commission for “extensive failures to safeguard personal identifying information on its clients”, according to new reports. Federal regulators called it “astonishing” that Morgan Stanley mishandled sensitive data of over 15 million customers.
The SEC found that Morgan Stanley hired a moving company that “had no experience or expertise” in data destruction to decommission thousands of hard drives and servers. These hard drives were not wiped or properly “sanitized”, and ended up for sale on online auction sites – data intact.
It is believed that Morgan Stanley mishandled the customer data and hard drives since at least 2015.
Gurbir Grewal, director of the SEC’s enforcement division called Morgan Stanley’s “failures in this case astonishing.” He continued, “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”
The investigation found that 42 servers containing unencrypted customer data and consumer report information went “missing.”
Yet, Morgan Stanley claims no sensitive data was exploited. They also agreed to pay the $35 million fine.
“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” Morgan Stanley said in the statement.
But according to the New York Times, an information technology consultant in Oklahoma who bought some of the hard drives was indeed able to access the unencrypted customer data.
Morgan Stanley eventually bought the hard drives back from the consultant, per the Times.
