The bank improperly disposed of thousands of devices and some were auctioned off online without checking that customer data they contained had been deleted, according to the SEC. About 15 million clients’ details were compromised over a five-year period starting 2015.
Following the announcement by the SEC, Morgan Stanley said in a statement that it was pleased to have resolved the matter. “We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” the firm said.
Morgan Stanley agreed to pay the penalty and settle the case without admitting or denying the allegations.
The violations occurred because the firm hired a moving and storage company with no experience in data destruction and then failed to properly monitor the company’s work, the SEC said. Morgan Stanley recovered some of the devices, which had thousands of pieces of unencrypted customer data. The vast majority of devices were not found, according to the regulator.
Tuesday’s penalty is also related to the brokerage’s failure to properly dispose of customer and consumer report information as part of a broader hardware refresh program, during which the firm found that 42 servers were missing. The unit didn’t activate available encryption programs that were available on the devices, the SEC said.
(Updates with Morgan Stanley comment in third paragraph.)
--With assistance from
To contact the reporter on this story:
To contact the editors responsible for this story:
© 2022 Bloomberg L.P. All rights reserved. Used with permission.