The allegations against Morgan Stanley Smith Barney LLC (MSSB) were made public by the Securities and Exchange Commission today. These allegations come from the company’s many breaches over a five-year period to secure the personal identifying information, or PII, of around 15 million clients. MSSB has agreed to address the SEC’s allegations by paying a $35 million fine.
According to the SEC’s ruling, MSSB did not appropriately destroy of devices carrying its customers’ PII as early as 2015. To decommission thousands of hard drives and servers storing the PII of millions of its customers, MSSB repeatedly contracted a transportation and storage business without any knowledge or training in data destruction services. Additionally, the SEC’s order claims that over a number of years, MSSB failed to adequately oversee the moving company’s work.
According to the staff’s research, the moving business sold thousands of MSSB devices, such as servers and hard drives, to a third – party provider. Some of these items had customer PII, and they were then resold on an online auction site without being scrubbed of it. While MSSB has retrieved a small number of the devices, the company has not done so for the great majority of the devices, which were found to contain unencrypted client data.
In accordance with the SEC’s order, MSSB was also found to have neglected to preserve customer PII and properly do secure data destruction of consumer report data when it retired local office and branch servers as part of a larger hardware renewal effort. During this decommissioning procedure, the company performed a records reconciliation exercise that found 42 servers were missing, all of which may have included plaintext customer PII and consumer report data. Additionally, MSSB discovered that although the local devices being retired had encryption capabilities, the company had neglected to activate the security software for years.
“The shortcomings of MSSB in this case are astounding. People expect financial professionals with their personal data with the knowledge and expectation that it will be safeguarded, and Gurbir S. Grewal, Director of the SEC’s Enforcement Division, stated MSSB fell severely short in doing so. “If this confidential material is not adequately protected, it might fall into the wrong hands and have terrible repercussions for investors. The action taken today makes it quite obvious that financial institutions have a responsibility to protect such data.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.