Morgan Stanley unit fined $35M for mishandling customer data

The personally identifiable information of approximately 15 million MSSB customers was made vulnerable over a five-year period, beginning in 2015, because of failures by the firm to protect it, the SEC said in a press release Tuesday. MSSB is a wholly owned subsidiary of Morgan Stanley.

The trouble began when MSSB did not encrypt the personal data of customers stored on computer servers and hard drives, the SEC alleged. In 2016, the firm decommissioned two data centers and didn’t properly dispose of its computer servers and hard drives, the agency said.

MSSB did not admit or deny the SEC’s findings in reaching settlement. The firm agreed to be censured as part of the agency’s order.

MSSB should have hired data experts to destroy vulnerable data on the devices it wanted to decommission, the SEC said. Instead, the firm hired a moving and storage company with no data experience to “remove, destroy, or delete” data on hard drives and servers that contained thousands of pieces of personal data, the agency alleged in its order.

The moving company first contracted with an IT company to wipe out data on the servers. It then stopped working with that IT company and employed another that was never vetted or approved by MSSB, according to the SEC. The moving company never asked the second IT company it engaged to destroy the data.

As a result, some of the approximately 4,900 servers and hard drives the moving company sold still contained customers’ personal data and were made available for purchase on an internet auction website, according to the SEC.

MSSB allegedly learned of the issue in 2017, when an IT consultant in Oklahoma emailed the firm and said he purchased hard drives online that contained the firm’s data.

MSSB was able to recover some of the devices that had been sold but not the vast majority, the SEC said.

The moving company invoiced MSSB throughout the project for work that included wiping data from servers. The firm didn’t adequately review the invoices and work and simply paid the invoices, the SEC said.

Similarly, in 2019, MSSB lost track of 42 computer servers from local offices and branches when the company upgraded to new equipment, the SEC said. The servers, which contained customers’ personal data, were equipped with encryption software, but the firm failed to implement it, the SEC alleged.

The firm had no written policies about how to safely dispose of computer hardware containing customer data, the SEC said.

MSSB willfully violated the Safeguards and Disposal Rules of Regulation S-P, the agency alleged.

“MSSB’s failures in this case are astonishing,” said Gurbir Grewal, director of the SEC’s Enforcement Division, in a statement. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.”

“Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data,” Grewal said.

Morgan Stanley response: “We are pleased to be resolving this matter,” a firm spokesperson said in an emailed statement. “We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information.”

Morgan Stanley in December 2021 agreed to establish a $60 million fund to settle a class-action lawsuit filed by nearly a dozen customers regarding the personal data that was compromised when the bank decommissioned its two wealth management centers. In October 2020, the Office of the Comptroller of the Currency fined Morgan Stanley $60 million for its failure to maintain an appropriate inventory of the customer data stored on the decommissioned hardware.