The financial advisor who took confidential data of 730,000 customer accounts from Morgan Stanley servers was not the only one at fault. So, too, was his employer.
Morgan Stanley (MS) enabled the behavior, the Securities and Exchange Commission said in a press release Wednesday. The SEC found that the investment banking giant Morgan Stanley failed to take proper precautions to safeguard customer data during a hack that resulted in private information being offered for sale online.
The SEC also fined the bank $1 million, saying in a press release: “Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data.”
Between 2011 and 2014, now former Morgan Stanley financial advisor, Galen Marsh, downloaded the confidential information of about 730,000 customer accounts to his home computer. Information from at least 900 clients appeared online in Dec. 2014, with the poster offering to sell additional data. Morgan Stanley later said it suspected Russian hackers had stolen the data from the former employee.
Marsh pled guilty to illegally accessing confidential client information in September. He received 36 months of probation and was ordered to pay $600,000 in restitution.
But now the SEC is saying that Morgan Stanley’s internal database of confidential customer data was not properly secure. Morgan Stanley did not restrict employee access to its customer’s information based on legitimate business need. Meaning Marsh, being a financial advisor, was given access to all clients within the bank’s Manhattan office. He also accessed information from other branches by using the identification numbers of other bank branches, financial advisors, and customer service associates.
The investment banking giant also failed to test its authorization practices, or monitor and analyze employees’ access to customer information, the SEC said.
Morgan Stanley agreed to settle the charges without admitting or denying the findings.
The decision also comes at a time when the federal government has become increasingly concerned about cybersecurity in banks. A few weeks earlier, the SEC said that the biggest threat facing financial systems both in the U.S. and abroad is cybersecurity. SEC chair Mary Jo White noted that while major financial entities were aware of the risk, they generally have “policies and procedures (that) are not tailored to their particular risks,” Reuters noted.
“Morgan Stanley is pleased to settle this matter,” a representative for the bank wrote in a statement. “No fraud against any client account was reported as a result of this incident.“
