Morgan Stanley fined $35 million for failing to protect customer data

Securities regulators are fining Morgan Stanley $35 million after its wealth management division failed to protect the personal information for 15 million customers.

Staffers at Morgan Stanley Smith Barney had been keeping customer data on company-managed computer servers and hard drives dating back to 2015, the Securities and Exchange Commission said Tuesday. The investment bank in 2016 hired a moving and storage company with no data-destruction experience to delete the data from the devices, according to the agency.

However, the unnamed moving company didn't clear data from the servers and hard drives thoroughly enough, according to the SEC. The company later resold about 4,900 former Morgan Stanley devices, some of which still had customer data on them, the regulator said.

Morgan Stanley wasn't aware of what had happened until late 2017, when an information technology consultant in Oklahoma bought one of the company's old pieces of equipment and informed the bank that he had discovered some of its data, the SEC said.

"Astonishing" failure

"You are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware or at the very least getting some kind of verification of data destruction from the vendors you sell equipment to," the SEC said according to agency documents.

In a statement, SEC enforcement director Gurbir Grewal called Morgan Stanley's failure to protect customer data "astonishing."

"If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors," Grewal said.

The SEC said Morgan Stanley Smith Barney recovered some of the old equipment, but most of the devices have yet to be found.

A Morgan Stanley spokesperson said the company is "pleased to be resolving this matter."

"We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information," the spokesperson said in a statement to CBS MoneyWatch.

Morgan Stanley also failed to protect customer data in 2019 during a routine swapping out of old computer equipment, regulators said. During the procedure, the company tried to delete the customer data from 500 servers at local branches, but misplaced 42 of the servers that contained private customer information, the SEC said.

The remaining servers had encryption safeguards on them to protect customer data, but Morgan Stanley staffers hadn't activated the software for years, the SEC said.

Khristopher J. Brooks

Khristopher J. Brooks is a reporter for CBS MoneyWatch. He previously worked as a reporter for the Omaha World-Herald, Newsday and the Florida Times-Union. His reporting primarily focuses on the U.S. housing market, the business of sports and bankruptcy.

Twitter

"Astonishing" failure

More from CBS News

FTX files plan to fully reimburse customers it defrauded of billions

FDIC fostered a toxic workplace rife with harassment, report finds

3 things we learned from Disney's latest earnings report

British AI startup raises $1 billion for self-driving car tech