Global financial services firm Morgan Stanley has agreed to pay a $1 million penalty for failure to safeguard customer data, the U.S. Securities and Exchange Commission (SEC) said on Wednesday.
According to a statement by the SEC, the Wall Street bank violated a federal regulation – known as the “Safeguards Rule” – by failing to adopt federally required written policies and procedures reasonably designed to protect customer data.
As a result, former financial advisor Galen Marsh was able to gain access to confidential information and transfer client data from an estimated 730,000 accounts to his personal server from 2011 to 2014.
His personal server was ultimately hacked by third parties, the regulator said, and details of about 900 accounts were later released online:
“A likely third-party hack of Marsh’s personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities,” the SEC said.
In a separate SEC order, Marsh was barred from the industry for five years. In December, he was criminally convicted for the breach and was sentenced to three years probation, and ordered to pay $600,000 in restitution.
Marsh reportedly conducted about 6,000 unauthorized researches on the bank’s computer system, taking client names, addresses and phone numbers, as well as account numbers, fixed-income investment information and account values.
Although the bank did not admit or deny the offense, Morgan Stanley spokesman Jim Wiggins told Bloomberg the firm is pleased to settle the matter.
Wiggins added the bank “worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services.”