The Securities and Exchange Commission (SEC) announced on Tuesday that Morgan Stanley has agreed to pay a $35 million fine for exposing the personal information of millions of customers.
According to the SEC, the Morgan Stanley Smith Barney wealth management business was charged over its ‘extensive failures’ over a period of five years. Specifically, it allegedly failed to protect the personal information of roughly 15 million customers.
The agency said the financial services giant failed to properly dispose of hard drives and servers storing customer data. Starting in 2015, on multiple occasions, the company hired a moving and storage company to decommission thousands of devices.
However, the hired company had no expertise or experience in data destruction, and even sold thousands of Morgan Stanley devices to a third-party, including ones containing customer information. The devices were then resold on an auction website without the customer data getting removed.
The company attempted to get the devices back, but a vast majority of them could not be recovered.
In addition, the SEC said Morgan Stanley failed to properly secure customer information when it decommissioned local office and branch servers. The company found that 42 servers, all potentially containing unencrypted sensitive information, were missing.
The SEC said Morgan Stanley did not admit or deny the charges, but consented to the agency’s order finding that it violated the Safeguards and Disposal Rules under Regulation S-P and agreed to pay the $35 million penalty.
This is not the first time Morgan Stanley has been involved in a data security incident. In 2016, the SEC said the company would pay a $1 million penalty for failure to protect information on roughly 730,000 of its clients, after an employee copied information to a personal server that was later hacked.
Last year, the company revealed that the personal information of some customers was compromised as a result of the Accellion hack, which impacted many major companies.
Related: Twitter to Pay $150M Penalty Over Privacy of Users’ Data
Related: Britain Fines US Hotel Chain Marriott Over Data Breach
Related: Dutch Data Protection Authority Fines Booking.com Over Incident Notification