Morgan Stanley Fined $60 Million for Exposing Customers' Data

The Office of the Comptroller of the Currency has fined Morgan Stanley $60 million for the its failure to properly oversee the decommissioning of several data centers, putting customer data at risk of exposure.

When Morgan Stanley decommissioned two data centers related to the bank's wealth management business in 2016, the company did not properly oversee the third-party company responsible for ensuring that all personal data was removed, according to the OCC, which is part of the U.S. Treasury Department.

"In connection with the decommissioning, the bank, among other things, failed to effectively assess or address the risks associated with the decommissioning of its hardware, failed to adequately assess the risk of using third-party vendors, including subcontractors, and failed to maintain an appropriate inventory of customer data stored on the devices," according to an OCC report.

OCC also says Morgan Stanley neglected to exercise proper oversight while retiring certain network devices, such as computer servers, at a local branch in 2019.

A spokesperson for Morgan Stanley could not be immediately reached for comment. The OCC did describe how much customer data may have been exposed during these incidents.

The OCC fine come about a month after attorneys representing Morgan Stanley customers filed a lawsuit against the bank, claiming it failed to properly safeguard personally identifiable information when the company discarded equipment.

Source: Bank Info Security