The Office of the Comptroller of the Currency says it has fined Morgan Stanley $60 million over alleged lapses in protecting customer data on decommissioned equipment in 2016 and 2019, which have already attracted several customer lawsuits.
Morgan Stanley Bank and Morgan Stanley Private Bank allegedly failed to exercise proper oversight in the decommissioning of two wealth management business data centers in the U.S. in 2016, according to the consent order published by the OCC. Morgan Stanley allegedly failed to properly assess or address the risks associated with the decommission as well as with subcontracting the job, including in its selection and monitoring of the vendor, the OCC says. In addition, the OCC claims that Morgan Stanley didn’t have an appropriate inventory of the customer data on the hardware being decommissioned.
In 2019, “the banks experienced similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data,” according to the consent order.
Morgan Stanley consented to the civil money penalty without admitting or denying the findings, the OCC says.
Morgan Stanley voluntarily informed customers who may have been affected by the 2019 breach and notified those potentially impacted by the 2016 breach at the OCC’s direction, according to the consent order.
Morgan Stanley faces more than a half dozen class actions connected to the 2016 and 2019 breaches, all filed in the Southern District of New York by both current and former customers. The suits claim that Morgan Stanley failed to protect personal identifiable information when it decommissioned the hardware devices, exposing clients to hackers and the risk of identity theft.
In response to questions about the previous suits, Morgan Stanley has told FA-IQ that the company was continuously monitoring the situation and hadn’t detected any unauthorized activity resulting from the breaches.
"We have continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused," the bank tells Reuters and Bloomberg in a statement. "Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information."
Do you have a news tip you’d like to share with FA-IQ? Email us at firstname.lastname@example.org.