The US Office of the Comptroller of the Currency (OCC) has fined Morgan Stanley $60 million for failing to properly decommission two wealth management data centers in 2016.
The bank failed to properly oversee its contractors, and how they wiped data from servers and other hardware. Some customer information remained on the equipment after it was sold to recyclers, but there was no indication that any of the details were misused.
Plaintiffs in two class-action lawsuits filed against the bank this summer claimed the data left on the devices included Social Security numbers, passport information, and other account information.
Wealth management mismanagement
The OCC states that the bank “engaged in unsafe or unsound practices that were part of a pattern of misconduct" and failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices.
"The Bank failed to exercise adequate due diligence in selecting the third party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance," the Department of the Treasury bureau said.
In a statement, Morgan Stanley said that it had "continuously monitored the situation" and did not "believe that any of our clients’ information has been accessed or misused.
“Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information.”
The bank in July offered free two-year subscriptions to a credit report monitoring service to customers whose information may have been at risk.