Skip to main content
close search
site logo
Dive Brief

Morgan Stanley fined $60M for data center oversight failures

Published Oct. 9, 2020
Dan Ennis's headshot
Senior Editor
https://www.morganstanley.com/about-us-newsroom#1805622441-tab

Dive Brief:

  • The Office of the Comptroller of the Currency (OCC) fined Morgan Stanley $60 million Thursday for failing to properly oversee the decommissioning of two data centers connected to its wealth management business in 2016.
  • Morgan Stanley hired a third-party vendor to wipe data from servers and other hardware, but some customer information remained on the equipment after it was sold to a recycler, the bank's field management chief, Vince Lumia, wrote in a July memo, according to AdvisorHub. The recycler alerted Morgan Stanley to the issue more than a year earlier.
  • "We have continuously monitored the situation and we do not believe that any of our clients' information has been accessed or misused," Morgan Stanley said Thursday in a statement seen by Bloomberg and American Banker. "Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients' information."

Dive Insight:

The bank in July offered free two-year subscriptions to a credit report monitoring service to some current and former wealth management customers whose information may have been at risk, AdvisorHub reported.

"[W]e concluded that it would be very difficult for anyone to access or misuse the data, given what we believe subsequently happened to those devices and the fact that many of the devices had design features that made it unlikely that data was accessed or misused," Lumia wrote in the July memo. "We have continuously monitored the situation — looking not only for data associated with our current clients, but any information indicating a breach of Morgan Stanley client data — and have not detected any unauthorized activity related to the incident."

Nonetheless, plaintiffs in two class-action lawsuits filed against the bank in August claimed the data left on the devices included Social Security numbers, passport information and other account information.

"The missing equipment and servers contain everything unauthorized third parties need to illegally use Morgan Stanley's current and former customers' [personal identifiable information] to steal their identities and to make fraudulent purchases," one of the lawsuits said, according to American Banker.

The bank "failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices," the OCC said in a press release Thursday.

Morgan Stanley saw similar "vendor management control deficiencies" in 2019, when the bank decommissioned other hardware, the regulator said.

Filed Under: Regulations & Policy

Editors' picks

  • The Federal Reserve building at sunset.
    Image attribution tooltip
    Douglas Rissing via Getty Images
    Image attribution tooltip

    9 crucial reactions to the capital requirements preview

    BofA and JPMorgan execs talk death, despair and a lack of specifics, while lawmakers and regulators appear to fall along party lines in the snowballing fight over the Basel endgame.

    By Dan Ennis • Sept. 11, 2024
  • Consumer Financial Protection Bureau Director Rohit Chopra testifies before the Senate Banking, Housing and Urban Affairs Committee April 26, 2022 in Washington, DC.
    Image attribution tooltip
    Win McNamee via Getty Images
    Image attribution tooltip

    CFPB issues final rule on open banking

    Payment apps are included in the data-control rule, in a change from last year’s proposal. Banks and credit unions with less than $850 million in assets are exempt.

    By Dan Ennis • Oct. 22, 2024

Company Announcements

View all | Post a press release
Cross Border Payment Solutions Launches to Help Business Take Control of International Finance
From Cross Border Payment Solutions
November 18, 2024
interface.ai Reinforces AI Leadership in Financial Services with Industry-Unique Device Biomet…
From Jordan Mitchell
November 21, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
  • The Federal Reserve building at sunset.
    Image attribution tooltip
    Douglas Rissing via Getty Images
    Image attribution tooltip

    9 crucial reactions to the capital requirements preview

    BofA and JPMorgan execs talk death, despair and a lack of specifics, while lawmakers and regulators appear to fall along party lines in the snowballing fight over the Basel endgame.

    By Dan Ennis • Sept. 11, 2024
  • Consumer Financial Protection Bureau Director Rohit Chopra testifies before the Senate Banking, Housing and Urban Affairs Committee April 26, 2022 in Washington, DC.
    Image attribution tooltip
    Win McNamee via Getty Images
    Image attribution tooltip

    CFPB issues final rule on open banking

    Payment apps are included in the data-control rule, in a change from last year’s proposal. Banks and credit unions with less than $850 million in assets are exempt.

    By Dan Ennis • Oct. 22, 2024
Latest in Regulations & Policy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell