Morgan Stanley to pay $1 mn for lax customer data protection

09 Jun 2016

US investment bank Morgan Stanley had agreed to pay $1 million for lax protection of customer data after an employee took records of some 730,000 clients, the Securities and Exchange Commission (SEC) announced yesterday.

According to the SEC, the bank failed to limit staff access to confidential customer account data. It added that the data taken by the former employee was eventually posted for sale on the internet by a third party.

The employee, Galen Marsh, downloaded the confidential records between 2011 and 2014 and transferred them to his home computer server, according to the SEC.

Later, according to the agency, Marsh's server was hacked by a likely third party to access the data, some of which was then posted for sale online.

When the case first emerged in early 2015, Morgan Stanley said, no evidence had been found that customers had incurred any financial losses due to the data theft.

Marsh was later convicted for the theft and sentenced to 36 months of probation and ordered to pay $ 600,000 in restitution.

"Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection," said Andrew Ceresney, director of the SEC Enforcement Division, in a statement.

Morgan Stanley agreed to settle the charges but neither admitted or denied the findings. The bank said in a statement, that it "is pleased to settle this matter, which results from the theft by a former employee of certain limited client data that was reported in January, 2015. Following the discovery of the incident, Morgan Stanley promptly alerted law enforcement and regulators, and notified affected clients."

"Morgan Stanley worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services, and has strengthened its mechanisms for safeguarding client data," the company statement added. "No fraud against any client account was reported as a result of this incident."