Morgan Stanley will pay $6.5 million as part of a settlement with six state attorneys general over allegations the investment bank compromised the personal information of millions of customers, according to a statement from New York Attorney General Letitia James’ office.
The New York City-based firm put consumer data at risk when it failed to decommission computers and erase unencrypted data in devices that were later sold, James’ office said.
As part of the settlement, New York will receive $1.66 million, while the rest of the fine will be split between Connecticut, Florida, Indiana, New Jersey and Vermont. Dive Insight:
The action from the attorneys general marks at least the fourth penalty Morgan Stanley has paid related to data breaches in recent years. The Office of the Comptroller of the Currency fined Morgan Stanley $60 million in 2020 for failing to properly oversee the decommissioning of two data centers connected to its wealth management business.
The following year, the bank agreed to pay another $60 million in a class-action lawsuit over claims that the personal information of 15 million current and former clients was compromised when data stored on decommissioned equipment wasn’t completely wiped clean.
Related to the same incident, Morgan Stanley last year agreed to pay $35 million to the Securities and Exchange Commission to resolve allegations it hired a moving and storage company with no experience in data destruction to decommission thousands of hard drives and servers but failed to monitor the company’s work. The moving company sold the devices to a third party, which auctioned them online with some unencrypted data intact, the SEC said.
“No one should have their personal information auctioned off without their knowledge because a company failed to take basic steps to erase it before selling their old computers,” James said in a statement Thursday.
The bank was only made aware of the problem when a purchaser discovered the data and called the company, according to James’ office.
“Morgan Stanley failed to properly monitor the moving company’s work, and its computer equipment, some of which still contained private consumer information, was then sold at auction,” the AG’s office said.
In a second incident, the bank discovered during a decommissioning process that 42 servers, all potentially containing unencrypted customer information, were missing, according to the AG’s office.
“The multistate investigation found that Morgan Stanley failed to maintain adequate vendor controls and hardware inventories, and that had these controls been in place, both data security events could have been prevented,” James’ office said.
“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to have resolved this related investigation,” a Morgan Stanley spokesperson told The Wall Street Journal.
As part of the settlement, Morgan Stanley was ordered to bolster its data security practices, such as to encrypt all personal information; maintain a written policy that governs the collection, use, retention and disposal of consumers’ personal information; and maintain a vendor risk assessment team.