Lax Data Security Practices Cost Morgan Stanley $35M in SEC Penalty

The US Securities and Exchange Commission (SEC) charged Morgan Stanley Smith Barney with $35 million for negligence in the data security of its clients. The settlement pertains to “extensive failures” of the investment advisor and financial services company for more than five years.

Morgan Stanley agreed to settle the $35 million penalty with the SEC. The federal agency said the company failed to protect user data as mandated by federal privacy regulations. Evidently, Morgan Stanley irresponsibly disposed of thousands of devices containing its customers’ personally identifiable information (PII).

PII and other data on these devices (hard drives and servers), which had encryption capabilities, were unfortunately unencrypted, thus signifying technical lapses. So when Morgan Stanley hired a moving company with “no experience or expertise in data destruction services,” it exposed the PII of 15 million customers.

Jordan Schroeder, managing CISO at Barrier Networks, told Spiceworks, “This is an astonishing security mistake by one of the world’s most prestigious banks, who would be expected to have well-established procedures in system life cycle management.”

“Not only does the situation mean that the bank put customer data at risk, but it also demonstrates that the organization was not following an expected policy which explained the secure disposing of IT equipment. Such a large fine, and the impact to Morgan Stanley customers, is an avoidable consequence.”

See More: South Korea Fines Google and Meta a Combined $72M for Privacy Violations

Morgan Stanley recovered some, but “a vast majority” of devices weren’t. As many as 42 servers with unencrypted PIIs are still missing. These hard drives and servers belonged to a now decommissioned local office and branch.

“Other businesses must use this case as an example of why it is critical to have processes in place on how to properly dispose of IT equipment. IT systems hold confidential information, so working with a trusted provider than can destroy data without putting it at risk is essential,” Schroeder added.

Morgan Stanley’s expressed pleasure in its statement to multiple outlets over the penalty. “We are pleased to be resolving this matter,” the company said. “We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information.”

However, the financial services major did not clarify how exactly it investigated. Whether the exposed PII data was misused or not for financial fraud, identity theft or any other misadventure by threat actors. The moving company Morgan Stanley hired sold thousands of those devices to a third party, selling them in an online auction without deleting the PII.

Director of the SEC’s enforcement division, Gurbir Grewal, said, “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.

Schroeder, “Any company that doesn’t do this [implement appropriate safeguards] will find itself breaching GDPR and other privacy regulations and could face similar fines.”

Let us know if you enjoyed reading this news on LinkedIn, Twitteror Facebook. We would love to hear from you!



Leave a Reply

Your email address will not be published.

Back to top button