The U.S. Securities and Exchange Commission said Tuesday that Morgan Stanley failed to protect the personal data of approximately 15 million users.
Morgan Stanley agreed to pay a $35 million penalty to settle the charges related to the security breakdown, the SEC said.
The government said Morgan Stanley did not properly destroy devices containing people’s information, including by hiring a moving and storage company to decommission thousands of hard drives and servers with the information despite the moving company having no experience in data destruction.
The SEC said its investigation found the moving company sold thousands of the servers and hard drives, some of which eventually ended up on an internet auction site, without the removal of people’s information.
SEC Enforcement Division Director Gurbir S. Grewal said the failures occurring over five years were “astonishing.”
“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” Mr. Grewal said in a statement. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”
SEE ALSO: Federal judge rules people under felony indictment have right to buy guns
Morgan Stanley recovered some of the devices that allegedly contained thousands of pieces of unencrypted customer data but the “vast majority” of devices remain unrecovered, according to the regulators.
A Morgan Stanley spokesperson said they have notified clients about the problems and were pleased to resolve the matter.
“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” the spokesperson said in a statement.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.