In one episode described by the SEC, Morgan Stanley hired a moving company — one that had “no experience or expertise” in data destruction — to decommission thousands of hard drives and servers holding customer data.
That moving company later sold thousands of Morgan Stanley devices, some of which contained personal identifying information, to a third party, the SEC said.
Those devices were eventually resold on an internet auction site — without the removal of the sensitive data, according to the settlement.
Morgan Stanley was able to recover some of those devices, which contained “thousands of pieces of unencrypted customer data,” the SEC said.
“The firm has not recovered the vast majority of the devices,” according to the settlement.
Morgan Stanley’s “failures in this case are astonishing,” Gurbir Grewal, director of the SEC’s enforcement division, said in a statement. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”
Beyond the servers and hard drivers, the SEC found that Morgan Stanley failed to safeguard customer data and properly dispose of consumer report information in other ways, including when the firm shut down local office and branch servers. The settlement said that a Morgan Stanley review found that 42 servers, all potentially containing unencrypted data and consumer report information, were “missing.”
Morgan Stanley agreed to pay the fine without admitting or denying the findings in the settlement.
In a statement, Morgan Stanley said it is pleased to have resolved this issue and expressed confidence that no sensitive data was exploited.
“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” Morgan Stanley said in the statement.