Morgan Stanley to pay $35M after hard drives with 15M customers’ personal data turn up in auction

The U.S. Securities and Change Fee has agreed to settle costs in opposition to Morgan Stanley Smith Barney (MSSB) for its “astonishing” failure to guard the non-public figuring out data of some 15 million prospects.

MSSB, now referred to as Morgan Stanley Wealth Administration, is the wealth and asset administration division of banking large Morgan Stanley, which this week agreed to pay $35 million to settle allegations that it didn’t correctly eliminate exhausting drives and servers containing its prospects’ private knowledge over a five-year interval way back to 2015.

Morgan Stanley employed a transferring and storage firm with “no expertise or experience in knowledge destruction companies,” based on the SEC and didn’t correctly monitor the transferring firm’s work. A number of the exhausting drives have been later discovered on an web public sale website with prospects’ private knowledge nonetheless saved inside.

“Whereas MSSB recovered a few of the gadgets, which have been proven to include 1000’s of items of unencrypted buyer knowledge, the agency has not recovered the overwhelming majority of the gadgets,” the SEC said in a statement.

The SEC additionally alleged that Morgan Stanley misplaced monitor of 42 servers that probably contained unencrypted buyer knowledge when it decommissioned native workplace and department servers as a part of a {hardware} refresh program. The regulator added that, throughout this course of, MSSB realized that the native gadgets being decommissioned had been geared up with encryption functionality however had didn’t activate the encryption software program.

“MSSB’s failures on this case are astonishing. Prospects entrust their private data to monetary professionals with the understanding and expectation that it is going to be protected, and MSSB fell woefully brief in doing so,” stated Gurbir S. Grewal, director of the SEC’s Enforcement Division. “If not correctly safeguarded, this delicate data can find yourself within the mistaken fingers and have disastrous penalties for buyers. In the present day’s motion sends a transparent message to monetary establishments that they have to take significantly their obligation to safeguard such knowledge.”

In an announcement given to TechCrunch, Morgan Stanley didn’t admit or deny the findings however stated it’s “happy to be resolving this matter.”

“We’ve got beforehand notified relevant shoppers concerning these issues, which occurred a number of years in the past and haven’t detected any unauthorized entry to, or misuse of, private consumer data,” stated Susan Siering, a spokesperson for Morgan Stanley.

Information of the SEC’s superb comes after Morgan Stanley was caught up in an information breach final 12 months because of the Accellion hack. The funding banking agency — no stranger to data breaches — admitted that attackers stole private data of its prospects by hacking into an Accellion server of a third-party vendor, which it makes use of for file-sharing and transfers.