Getty Images reader comments
142 with 97 posters participating
Share this story
Morgan Stanley on Tuesday agreed to pay the Securities and Exchange Commission (SEC) a $35 million penalty for data security lapses that included unencrypted hard drives from decommissioned data centers being resold on auction sites without first being wiped.
The SEC action said that the improper disposal of thousands of hard drives starting in 2016 was part of an “extensive failure” over a five-year period to safeguard customers’ data as required by federal regulations. The agency said that the failures also included the improper disposal of hard drives and backup tapes when decommissioning servers in local branches. In all, the SEC said data for 15 million customers was exposed.
“MSSB’s failures in this case are astonishing,” said Gurbir S. Grewal, director of the SEC’s enforcement division, using the initials for Morgan Stanley Smith Barney, the full name of the firm. “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.”
Much of the failure stemmed from the 2016 hire of a moving company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the data of millions of customers. The moving company received 53 RAID arrays that collectively contained roughly 1,000 hard drives, and it also