- The Office of the Comptroller of the Currency (OCC) fined Morgan Stanley $60 million Thursday for failing to properly oversee the decommissioning of two data centers connected to its wealth management business in 2016.
- Morgan Stanley hired a third-party vendor to wipe data from servers and other hardware, but some customer information remained on the equipment after it was sold to a recycler, the bank's field management chief, Vince Lumia, wrote in a July memo, according to AdvisorHub. The recycler alerted Morgan Stanley to the issue more than a year earlier.
- "We have continuously monitored the situation and we do not believe that any of our clients' information has been accessed or misused," Morgan Stanley said Thursday in a statement seen by Bloomberg and American Banker. "Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients' information."
The bank in July offered free two-year subscriptions to a credit report monitoring service to some current and former wealth management customers whose information may have been at risk, AdvisorHub reported.
"[W]e concluded that it would be very difficult for anyone to access or misuse the data, given what we believe subsequently happened to those devices and the fact that many of the devices had design features that made it unlikely that data was accessed or misused," Lumia wrote in the July memo. "We have continuously monitored the situation — looking not only for data associated with our current clients, but any information indicating a breach of Morgan Stanley client data — and have not detected any unauthorized activity related to the incident."
Nonetheless, plaintiffs in two class-action lawsuits filed against the bank in August claimed the data left on the devices included Social Security numbers, passport information and other account information.
"The missing equipment and servers contain everything unauthorized third parties need to illegally use Morgan Stanley's current and former customers' [personal identifiable information] to steal their identities and to make fraudulent purchases," one of the lawsuits said, according to American Banker.
The bank "failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices," the OCC said in a press release Thursday.
Morgan Stanley saw similar "vendor management control deficiencies" in 2019, when the bank decommissioned other hardware, the regulator said.