Morgan Stanley fined $60m for improper disposal of personal data
The US Office of the Comptroller of the Currency (OCC) has fined Morgan Stanley $60 million over failures to properly decommission data centres.
The charges refer to the bank dismantling two data centres connected to its wealth management business in 2016.
According to the OCC, Morgan Stanley failed to oversee third-party companies responsible for the erasure and removal of personal data.
The OCC says the bank failed to “effectively assess or address risks associated with decommissioning its hardware”.
It adds US lender did not exercise “adequate due diligence” in selecting a vendor and monitoring its performance.
Morgan Stanley was found to have again failed during the removal of network devices and servers in 2019.
“We have continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused,” says a bank spokesperson.
“We have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information.”
The OCC censure arrives a few weeks after 100 Morgan Stanley customers filed a lawsuit against their bank. They claim it failed to protect identifiable information in waste hardware.
Morgan Stanley confirmed that breach in letters sent to the California attorney general. Among the details leaked were account names, passport numbers, and telephone numbers.
Related: Morgan Stanley blocks remote network access for China interns