Most of us make IT blunders from time to time—but it’s not often that those mistakes are so egregious that they cost tens of millions of dollars.
That’s the situation Morgan Stanley Smith Barney found itself in on Tuesday, when the investment bank agreed to pay $35 million to settle charges brought against it by the U.S. Securities and Exchange Commission (SEC).
An SEC investigation found that over a five-year period, Morgan Stanley had been failed to properly dispose of devices that were storing its customers’ personal identifying information (PII). The SEC said in a statement that Morgan Stanley’s “extensive failures” had put around 15 million customers’ personal data at risk.
“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and [Morgan Stanley] fell woefully short in doing so,” Gurbir S. Grewal, director of the SEC’s Enforcement Division, said in the statement.
Litany of ‘astonishing’ mistakes
The litany of failures the SEC discovered during the investigation were, in the words of Grewel, “astonishing.”
On multiple occasions dating back to 2015, it was found that the bank hired a moving and storage company with no experience or expertise in data destruction to decommission hard drives and servers containing millions of customers’ PII.
Morgan Stanley failed to properly monitor the moving company’s work, the SEC said—and the moving company went on to sell thousands of Morgan Stanley devices that were storing PII.
Those devices were eventually resold, complete with the data, in an online auction.
Morgan Stanley had managed to recoup some of the devices, which contained thousands of pieces of unencrypted customer data, but the SEC said the company had failed to recover the vast majority of its improperly disposed hardware.
The devices had been equipped with encryption software, but the software had never been activated.
In 2017—a year after the completion of the data center decommissioning project—an Oklahoma IT consultant emailed Morgan Stanley to inform the bank he had purchased a hard drives online that were full of the company’s data.
“You are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware,” the consultant said in the email. “Or at the very least getting some kind of verification of data destruction from the vendors you sell equipment to.”
Morgan Stanley repurchased the hard drives from the consultant.
‘Disastrous consequences’ for investors
“If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors,” the SEC’s Grewel said. “Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”
Morgan Stanley consented to pay $35 million to the SEC without admitting or denying the organization’s charges.
“We are pleased to be resolving this matter,” a Morgan Stanley spokesperson told Fortune on Wednesday. “We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information.”
Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.