Morgan Stanley fined $35M for exposing millions of customers’ data

Morgan Stanley's wealth and asset management division Morgan Stanley Smith Barney has agreed to pay a $35 million fine to settle charges filed by the U.S. Securities and Exchange Commission pertaining to federal regulation violations on customer data protection and disposal, TechRepublic reports. The SEC found in its investigation that nearly 15 million MSSB clients had their personally identifiable information compromised after the financial giant enlisted a moving and storage firm without any data destruction experience for the disposal of hard drives and servers containing customers' PII. Thousands of the devices that were supposed to be destroyed were sold by the moving company to a third-party, which then resold them on an internet auction site. Recovery of some of the devices revealed that customer information had not been encrypted by MSSB, according to the SEC. "Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors," said SEC Enforcement Division Director Gurbir Grewal. Meanwhile, Pathlock Chief Marketing Officer Mike Puterbaugh noted that the fine should prompt organizations to bolster data security capability evaluations and internal data security control audits.