NEW YORK–Morgan Stanley has been hit with a $35 million fine for “astonishing” failures that led to the mishandling of sensitive data, after it failed to wipe the hard drives of old computers it was disposing of.
The hard drives held information on approximately 15-million customers.
According to the Securities and Exchange Commission, Morgan Stanley hired a moving company that had “no experience or expertise” in data destruction to decommission thousands of hard drives and servers holding customer data.
The SEC said that same company later sold thousands of those devices, some of which contained personal identifying information, to a third party. Eventually, the devices, still loaded up with sensitive data, wound up on an auction site, according to the New York Times.
“…Failures in this case are astonishing,” Gurbir Grewal, director of the SEC’s enforcement division, said in a statement. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”
Neither Confirming Nor Denying
Morgan Stanley agreed to pay the fine without admitting or denying the findings in the settlement.
“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” Morgan Stanley said in a statement.