Pinned down by the SEC, Morgan Stanley will pay a fine of $35 million | Photo credits: Ken Wolter / Shutterstock.com
by Pete Schroeder
WASHINGTON, Sept 20 (Reuters) – A branch of Morgan Stanley is to pay a $35 million fine after the Securities and Exchange Commission, the policeman of U.S. markets, accused it of failing to protect data from millions of customers, the regulator said on Tuesday.
The SEC said that for five years, Morgan Stanley Smith Barney failed to protect the data of 15 million customers. The company agreed to pay the fine without confirming or denying the charges.
According to the SEC, Morgan Stanley did not properly decommission some of its devices.
In particular, it would have called on several occasions to a company that did not have the necessary expertise to decommission thousands of hard drives and servers. These devices ended up being sold to a third party and then auctioned online with the personal data intact and unencrypted. Only a portion of those devices have been recovered, according to the regulator.
The SEC said the company lost track of 42 servers containing personal data while they were undergoing a hardware update program, and failed to activate the software. encryption of these devices for years.
“MSSB’s failings in this case are astonishing. Customers entrust their personal data to financial professionals (..) expecting it to be protected, expectations that MSSB has failed to meet,” SEC chief enforcement officer Gurbir Grewal said in a statement.
A Morgan Stanley spokesperson said in a statement that the company is happy to resolve the matter and has already notified affected customers of the issues. The company said it did not detect any unauthorized access or misuse of personal data. (Report Pete Schroeder, French version Valentine Baldassari, edited by Sophie Louet)