OCC fines Morgan Stanley $60 million for 2016 data breach
WASHINGTON — Morgan Stanley was slapped with a $60 million fine by regulators Thursday for risk management problems tied to a 2016 data breach.
The consent order by the Comptroller of the Currency cited failures at both Morgan Stanley Bank NA and Morgan Stanley Private Bank NA related to the shutdown of two wealth management data centers and the company's use of third-party vendors to help with the closings.
The OCC found that the bank did not take proper precautions in dismantling and disposing of outgoing hardware that contained sensitive customer data and failed to properly supervise the vendors Morgan Stanley tasked with wiping customer data from the old equipment before it was resold.
“Among other things, the banks failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices,” the OCC said in a press release Thursday.
The OCC’s enforcement action is the latest development in recent months related to the 2016 closing of Morgan Stanley’s data centers. In August, shortly after the financial services company notified some customers in July that their personal data had potentially been compromised as the data centers were being decommissioned, a pair of class action lawsuits against Morgan Stanley landed in federal court.
According to court filings, plaintiffs claimed the data left on equipment included Social Security numbers, passport information and other account numbers. “The missing equipment and servers contain everything unauthorized third parties need to illegally use Morgan Stanley’s current and former customers’ [personal identifiable information] to steal their identities and to make fraudulent purchases,” one of the lawsuits said.
In a statement, a Morgan Stanley spokesperson said the company has “continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused. Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information."
“Safeguarding our client’s information is of paramount importance,” the spokesperson said.