US regulators have fined Morgan Stanley $35mn for an “astonishing” failure to protect customer data, which resulted in some computer hardware containing sensitive client data being auctioned off online.
The US Securities and Exchange Commission said on Tuesday that the Wall Street bank’s wealth management business failed to protect information identifying around 15mn customers over a five-year period.
From at least 2015, the bank, which agreed to settle the charges without admitting or denying the accusations, failed to properly dispose of devices storing clients’ personal data, according to the SEC.
Morgan Stanley hired a moving company that did not specialise in discarding data and tasked it with disabling thousands of servers and hard drives, the agency said.
The moving company subsequently sold thousands of the bank’s devices, some of which contained customer data, to a third party before they were eventually resold on an online auction site. The bank has recovered some but not most of the equipment, the SEC said.
The authorities also found Morgan Stanley failed to protect customer data while shutting down some servers on its network. During this procedure, the bank realised 42 servers that may have stored customers’ unencrypted personal information were missing.
Morgan Stanley did not immediately respond to a request for comment.
The director of the SEC’s enforcement division, Gurbir Grewal, described the failings by Morgan Stanley as “astonishing”.
“Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data,” Grewal said in a statement.
The penalty is significantly larger than the $1mn fine that the wealth management business agreed to pay to the SEC in 2016 for a similar offence. The same division also reached a settlement in class action suit over data breaches, a resolution that included the creation of a $60mn fund to compensate victims.
Morgan Stanley took a majority stake in Citigroup’s Smith Barney wealth management business in 2009 before completing a full buyout in 2012.
The division formed the centrepiece of Morgan Stanley’s push into wealth management and its efforts to reduce its reliance on investment banking and trading.
The move against Morgan Stanley comes as the SEC heightens scrutiny of Wall Street’s record-keeping practices. The agency has launched an investigation into communications storage that has spread across the banking sector, with lenders preparing to pay more than $1bn in penalties to the SEC and the Commodity and Futures Trading Commission.
JPMorgan in December agreed to pay US regulators a record $200mn for failing to maintain records of employees’ communications on personal devices.