On Tuesday, September 20, 2022, The Securities and Exchange Commission (SEC) revealed that Morgan Stanley financial services corporation will be sanctioned with a $35M fine.

Morgan Stanley Smith Barney, the wealth & asset management division of Morgan Stanley, was accused of “extensive failures” in protecting important data that led to the exposure of 15 million customers’ personal information over a period of five years.

Morgan Stanley did not admit or deny the charges but accepted to pay the penalty for violating the Safeguards and Disposal Rules under Regulation S-P.

What Happened

According to SEC, the financial corporation did not properly discharge old drivers and servers that contained important data. Since 2015 Morgan Stanley hired a moving and storage company to handle thousands of devices.

However, the hired company had no expertise or experience in data destruction, and even sold thousands of Morgan Stanley devices to a third-party, including ones containing customer information. The devices were then resold on an auction website without the customer data getting removed.

The company attempted to get the devices back, but a vast majority of them could not be recovered.


SEC also pointed to 42 missing servers, all of which could have contained unencrypted confidential material. The devices went missing after Morgan Stanley decommissioned the local office and branch servers.

Not the First Cybersecurity Incident

This is not the first cybersecurity incident for Morgan Stanley.

In 2016 the company paid a $1 million penalty for not properly protecting the information of its clients. At that time an employee copied sensitive data of approximately 730,000 clients to a personal server that later was breached.

In 2021 Morgan Stanley was the victim of the Accellion hack, again the personal information of clients was exposed. The hack affected many large businesses and the financial corporation was compromised through a third-party vendor.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Social Engineering Attacks Target Morgan Stanley Client Accounts

Investment Bank Morgan Stanley Discloses Data Breach

Accellion Data Breach Impacts NSW Health

Accellion Attackers Stole Data and Breached Companies Running FTA Servers

Leave a Reply

Your email address will not be published. Required fields are marked *