Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Morgan Stanley to Pay $1 Million Penalty Over Customer Data Theft

Banking giant Morgan Stanley will pay $1 million as penalty for failure to protect information on roughly 730,000 of its clients, the Securities and Exchange Commission (SEC) said Wednesday.   

Banking giant Morgan Stanley will pay $1 million as penalty for failure to protect information on roughly 730,000 of its clients, the Securities and Exchange Commission (SEC) said Wednesday.   

According to the SEC, the bank “failed to adopt written policies and procedures reasonably designed to protect customer data,” which enabled a then-employee to access and transfer data on the customer accounts accounts to a personal server, which the was ultimately hacked by third parties.

“A likely third-party hack of Marsh’s personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities,” the SEC said.

In January 2015, Morgan Stanley acknowledged that account information for about 900 of its clients, including account numbers and names, was briefly posted on the Internet and, once detected, was “promptly removed.”

The employee at the time, Galen J. Marsh, was was criminally convicted for his actions in 2015 and received 36 months of probation and ordered to $600,000 in restitution.

According to the SEC, Morgan Stanley violated Rule 30(a) of Regulation S-P, also known as the “Safeguards Rule.”  

“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” Andrew Ceresney, Director of the SEC Enforcement Division, said in a statement.

The SEC alleges that Morgan Stanley didn’t audit or test the “relevant authorization modules” or monitor or analyze employees’ access to portals containing sensitive data.

Advertisement. Scroll to continue reading.

Morgan Stanley agreed to settle the charges and pay the $1 million without admitting or denying the findings.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.