Morgan Stanley hard drives with sensitive public data were auctioned off online by a moving company, according to federal regulators.
On Tuesday, the Securities and Exchange Commission (SEC), the federal government agency intended to protect the public from market manipulation, filed a settlement including a $35 million fine against Morgan Stanley over “extensive” failures in data security regarding their clients.
Since at least 2015, the SEC has been trying to force the multinational investment company, one of the world’s largest, to respect the laws concerning client privacy. Most of their breeches of trust are concerning their physical hardware – hard drives, computers, laptops, and phones.
In an incident specified by the SEC in their settlement, Morgan Stanley hired a moving company to decommission hard drives and physical servers holding the sensitive data of hundreds of thousands of customers. Just a moving company, not a business with any experience in data destruction. Someone at that company plainly took advantage of the situation, as thousands of those devices turned up in online auctions, data still intact.
According to the SEC, Morgan Stanley recovered only a very few of those devices, but even those few contained “thousands of pieces of unencrypted customer data.”
The data included contact information, banking details, and tax identification and social security numbers.
Gurbir Grewal, director of the SEC’s enforcement division, calls the negligence “astonishing.”
“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors,” said Grewal.
“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” Morgan Stanley said in a statement about the settlement and fine. The company has said it is pleased to have resolved the issue, but 42 servers remain missing according to their own records.
Photo: YES Market Media / Shutterstock
