The Securities and Exchange Commission (SEC) announced on Tuesday that Morgan Stanley has agreed to pay a $35 million fine for exposing the personal information of millions of customers.
According to the SEC, the Morgan Stanley Smith Barney wealth management business was charged over its ‘extensive failures’ over a period of five years. Specifically, it allegedly failed to protect the personal information of roughly 15 million customers.
The agency said the financial services giant failed to properly dispose of hard drives and servers storing customer data. Starting in 2015, on multiple occasions, the company hired a moving and storage company to decommission thousands of devices.
However, the hired company had no expertise or experience in data destruction, and even sold thousands of Morgan Stanley devices to a third-party, including ones containing customer information. The devices were then resold on an auction website without the customer data getting removed.
The company attempted to get the devices back, but a vast majority of them could not be recovered.
In addition, the SEC said Morgan Stanley failed to properly secure customer information when it decommissioned local office and branch servers. The company found that 42 servers, all potentially containing unencrypted sensitive information, were missing.
The SEC said Morgan Stanley did not admit or deny the charges, but consented to the agency’s order finding that it violated the Safeguards and Disposal Rules under Regulation S-P and agreed to pay the $35 million penalty.
This is not the first time Morgan Stanley has been involved in a data security incident. In 2016, the SEC said the company would pay a $1 million penalty for failure to protect information on roughly 730,000 of its clients, after an employee copied information to a personal server that was later hacked.
Last year, the company revealed that the personal information of some customers was compromised as a result of the Accellion hack, which impacted many major companies.
Related: Twitter to Pay $150M Penalty Over Privacy of Users’ Data
Related: Britain Fines US Hotel Chain Marriott Over Data Breach
Related: Dutch Data Protection Authority Fines Booking.com Over Incident Notification
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
