Morgan Stanley has paid another $35 million fine over IT Asset Disposal failures during data center and server decommissioning projects. The bank is accused of failing to protect the personal information of millions of customers.

The Securities and Exchange Commission (SEC) this week announced charges against Morgan Stanley Smith Barney LLC (MSSB, now known as Morgan Stanley Wealth Management) for ‘extensive failures to protect the personal identifying information of approximately 15 million customers over a five-year period.’

The SEC said MSSB has agreed to pay a $35 million penalty to settle the charges.

The charges related to the decommissioning of two data centers in 2016 and a later hardware refresh of local office and branch servers. The company had already paid out around $120 million in fines and settlements over the incidents prior to this latest fine.

“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” said Gurbir S. Grewal, Director of the SEC’s Enforcement Division. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”

The SEC said Morgan Stanley failed properly dispose of devices containing its customers’ PII during the decommissioning process, with the company hiring a moving and storage company with no experience or expertise in data destruction services and failed to properly monitor the moving company’s work.

“The moving company sold to a third party thousands of MSSB devices including servers and hard drives, some of which contained customer PII, and which were eventually resold on an internet auction site without removal of such customer PII,” the SEC said. While Morgan Stanley managed to recover some of the lost hardware, the ‘vast majority’ have not been recovered.

The SEC also said the banking firm ‘failed to properly safeguard customer PII and properly dispose of consumer report information’ during a local office and branch servers hardware refresh program. Later audits found that 42 servers, all potentially containing unencrypted customer PII and consumer report information, were missing out on the 500 replaced. And despite the decommissioned hardware having encryption capabilities, the firm had failed to activate the encryption software for years.

The US Office of the Comptroller of the Currency (OCC) fined Morgan Stanley $60 million in 2020 for failing to properly decommission two wealth management data centers in 2016 located in Poughkeepsie, New York, and Columbus, Ohio. According to the OCC, the bank “failed to exercise proper oversight” of the decommissioning of the two facilities.

The SEC complaint says the removals company handled approximately 4,900 devices from the two data centers, many of which were non-data bearing devices but some of which contained unencrypted customer PII and consumer report information, including 53 RAID Disk arrays that collectively contained approximately 1,000 hard drives. Approximately 8,000 back-up tapes were also removed from one of the data centers.

As a result of the breach, the company faced eight lawsuits, which were consolidated into one class-action case. The company was accused of “ignoring industry standards” around proper IT Asset Disposal (ITAD). It eventually agreed another $60 million settlement.

In filings, the bank was accused of dismissing IBM in favor of an “unknown and unqualified vendor” to decommission its computer equipment as part of “profit-driven decisions” in order to save $100,000. The bank then contracted a firm called Triple Crown to remove, wipe, and recycle the devices.

Instead of proper disposal, Triple Crown reportedly sold the devices to another ITAD firm, AnythingIT, and reported to Morgan Stanley that the devices had been destroyed. AnythingIT then also failed to wipe the devices, and sold them to another ITAD company, known as KruseCom, which either destroyed or sold on the devices.

Though it acknowledged some lost hardware was never recovered, the bank has maintained throughout that no harm has come to customers as a result of the data loss.

In the 2019 incident, the bank removed and replaced around 500 Wide Area Application Services from branch offices, and was unable to account for all of the devices during a subsequent inventory. The manufacturer reportedly told the bank a ‘software flaw’ meant some deleted information could remain on the disk unencrypted.