Skip to content

Morgan Stanley was fined millions of dollars for failing to encrypt hardware

Morgan Stanley has paid a settlement to the US Securities and Exchange Commission (SEC) to end a lawsuit over allegations that the financial services firm did not adequately safeguard its clients' personal information.

Without admitting guilt or disputing the SEC's findings, the company has agreed to pay $35 million to settle the case.

The SEC found that Morgan Stanley did not adequately safeguard client information during the decommissioning of certain storage facilities. For example, in 2015, Morgan Stanley reportedly hired a storage and moving company "with no experience or expertise in data destruction services" to decommission thousands of hard drives (HDD) and servers containing unencrypted personal information on millions of customers.

Instead of properly disposing of the sensitive hardware, the company allegedly sold them to a third party who then auctioned them off online.

In addition, the relocation service lost 42 servers in the process.

"Customers entrust financial professionals with the understanding and expectation that their personal information will be protected," said Gurbir S. Grewal, Director of the SEC's Enforcement Division. "MSSB fell woefully short in doing so."

"Investments can be ruined if this private data falls into the wrong hands. The action taken today sends a strong message to financial institutions that they must take their responsibility to protect this information very seriously."

When it comes to disposing of old and obsolete storage units in a secure manner, businesses have developed elaborate procedures, making data center commissioning a full-fledged industry in and of itself.

Data has become an increasingly valuable asset over the past decade, drawing scrutiny from governments, privacy advocates, and non-profits concerned with the proper handling of sensitive data.