The United States Securities and Exchange Commission has now confirmed it will bring charges against financial services multinational Morgan Stanley Smith Barney (MSSB). The reason for the charges has been described by US regulators as being for its “astonishing” failure to safeguard the personally identifiable information (PII) belonging to approximately 15 million of the company’s customers.

Mismanagement of data protection

Operating as Morgan Stanley Wealth Management, MSSB is the asset and wealth management division of the banking company Morgan Stanley. MSSB recently agreed to pay out $35 million to effectively settle allegations that the firm failed to correctly dispose of server and hard drives that containing its customers’ PII over a five-year term that extends back as far as 2015.

According to the Securities and Exchange Commission, the US financial services giant hired a company that specialised in storage and moving, but had no expertise or experience in providing a data destruction services. The Commission added that Morgan Stanley had also failed to adequately monitor the moving firm’s work. As a result, some of the company’s hard drives were found later uploaded on an internet-based auction site with the personal data of MSSB customers still stored inside.

In a recent statement, a spokesperson for the Securities and Exchange Commission, commented:

“While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices.”

Astonishing failure to safeguard customers

The Securities and Exchange commission also alleges that MSSB lost track of a total of 42 servers that contained potentially unencrypted customer data, after it decommissioned local branch and office servers as part of a programme to refresh hardware. The US regulator added that, at this time, Morgan Stanley learned that the devices being decommissioned were equipped with encryption software but had neglected to activate the protective solution.

Director of the Commission’s Enforcement Division, Gurbir S. Grewal, commented:

“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so. If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”

He added that the $35 million charge sent a clear message to all financial organisations that they must take their obligation to safeguard confidential data seriously. While Morgan Stanley made no attempt to deny or admit the regulator’s finding, it commented that it was happy to be resolving the matter. It added that it had notified its customers regarding the matter involved and had detected no misuse or unauthorised to access personal information.

News of the hefty fine follows Morgan Stanley being caught in a data breach in 2021 because of the headline-making Accellion hack. No stranger to dedicated data breaches, the investment banking firm admitted that hackers stole personal customer information by penetrating the Accellion server belonging to a third-party vendor.