Everybody makes mistakes, especially in cybersecurity. Most jobs in cyber are challenging and require a certain level of detail, so a mistake is bound to come up every now and then. But a $35 million mistake? That doesn't happen everyday.
Morgan Stanley has agreed to pay $35 million to settle charges from the U.S. Securities and Exchange Commission (SEC) emerging from the financial institution's failure to protect the personal identifying information (PII) of its roughly 15 million customers.
Through an extensive investigation, the SEC found that since 2015, Morgan Stanley failed to properly dispose of devices containing customer PII. According to the SEC announcement:
"On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the PII of millions of its customers.
Moreover, according to the SEC's order, over several years, MSSB failed to properly monitor the moving company's work. The staff's investigation found that the moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII, and which were eventually resold on an internet auction site without removal of such customer PII.
While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices."
The SEC also found that Morgan Stanley failed in protecting customer PII when decommissioning some local office and branch servers. It was discovered that during this process, 42 servers potentially containing unencrypted data were missing.
The company learned during this process that the local devices did have encryption capabilities but had failed to activate the encryption software for years.
Gurbir S. Grewal, Director of the SEC's Enforcement Division, discussed Morgan Stanley's settlement:
"MSSB's failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so.
If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today's action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data."
Morgan Stanley agreed to pay the SEC penalty without admitting or denying the findings.
Follow SecureWorld News for more stories on all things cybersecurity.
