Security Experts:

Connect with us

Hi, what are you looking for?



Morgan Stanley to Pay $35M Fine for Exposing Information of Millions of Customers

The Securities and Exchange Commission (SEC) announced on Tuesday that Morgan Stanley has agreed to pay a $35 million fine for exposing the personal information of millions of customers.

The Securities and Exchange Commission (SEC) announced on Tuesday that Morgan Stanley has agreed to pay a $35 million fine for exposing the personal information of millions of customers.

According to the SEC, the Morgan Stanley Smith Barney wealth management business was charged over its ‘extensive failures’ over a period of five years. Specifically, it allegedly failed to protect the personal information of roughly 15 million customers.

The agency said the financial services giant failed to properly dispose of hard drives and servers storing customer data. Starting in 2015, on multiple occasions, the company hired a moving and storage company to decommission thousands of devices.

However, the hired company had no expertise or experience in data destruction, and even sold thousands of Morgan Stanley devices to a third-party, including ones containing customer information. The devices were then resold on an auction website without the customer data getting removed.

The company attempted to get the devices back, but a vast majority of them could not be recovered.

In addition, the SEC said Morgan Stanley failed to properly secure customer information when it decommissioned local office and branch servers. The company found that 42 servers, all potentially containing unencrypted sensitive information, were missing.

The SEC said Morgan Stanley did not admit or deny the charges, but consented to the agency’s order finding that it violated the Safeguards and Disposal Rules under Regulation S-P and agreed to pay the $35 million penalty.

This is not the first time Morgan Stanley has been involved in a data security incident. In 2016, the SEC said the company would pay a $1 million penalty for failure to protect information on roughly 730,000 of its clients, after an employee copied information to a personal server that was later hacked.

Last year, the company revealed that the personal information of some customers was compromised as a result of the Accellion hack, which impacted many major companies.

Related: Twitter to Pay $150M Penalty Over Privacy of Users’ Data

Related: Britain Fines US Hotel Chain Marriott Over Data Breach

Related: Dutch Data Protection Authority Fines Over Incident Notification

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

CommandK announced that it has raised $3 million in a seed funding round for a solution designed to help organizations secure sensitive data.